Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to strip leading zeros from a field and join with another set of events to create a new field?

garryclarke
Path Finder
‎09-01-2014 06:14 AM

I have a set of events on an input stream which I need to query and want to carry out a join with another data set which needs a leading zero stripped from it. For example the number 0209999948 below needs to key with another field 209999948

LW,0209999948,,NOR,1,L,00137

I am currently looking at extracting another separate field in props.conf but I’m having difficulty in stripping the leading zero in the new field call DN_STRIP.
EXTRACT-DN_STRIP = (?i),(?P[^,]+)
Can this stripping also be done in the props.conf, or do I need to be looking at a regex in the transforms.conf

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

bjoernjensen
Contributor
‎09-01-2014 02:14 PM

Hi Garry!

Amongst other things you could:

  • remove the leading zero at index time by creating/overwriting a field (link) - don't do this

    transforms.conf:

    [my_unique_stanza]
REGEX = ^\w{2},0(?<myfield>\d*),.*$

    props.conf:

    [host::myhost]
TRANSFORMS-mytransformation = <my_unique_stanza>

    fields:conf:

    [myfield]
INDEXED=true

  • do the join (link) at search time. Supposing your data "LW,0209999948,,NOR,1,L,00137" is in some source called "data1" and the field you want to do a join against in data2 is named "myfield":

    source=data1 | rex "^\w{2},0(?<myfield>\d*),.*$" | join myfield [search source=data2]

Have fun - Bjoern

View solution in original post

Reply
Solved! Jump to solution
Solution

bjoernjensen
Contributor
‎09-01-2014 02:14 PM

Hi Garry!

Amongst other things you could:

  • remove the leading zero at index time by creating/overwriting a field (link) - don't do this

    transforms.conf:

    [my_unique_stanza]
REGEX = ^\w{2},0(?<myfield>\d*),.*$

    props.conf:

    [host::myhost]
TRANSFORMS-mytransformation = <my_unique_stanza>

    fields:conf:

    [myfield]
INDEXED=true

  • do the join (link) at search time. Supposing your data "LW,0209999948,,NOR,1,L,00137" is in some source called "data1" and the field you want to do a join against in data2 is named "myfield":

    source=data1 | rex "^\w{2},0(?<myfield>\d*),.*$" | join myfield [search source=data2]

Have fun - Bjoern

Reply
Solved! Jump to solution

garryclarke
Path Finder
‎09-01-2014 02:37 PM

Thanks Bjoern the regex in the second part of your reply sorted it out

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎09-01-2014 08:15 AM

You can use ltrim function of eval

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Commonevalfunctions

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...