Solved: How to strip out trailing 0's

efelder0 · ‎12-19-2011

I have a field in my output that contains the following values: DAT_Version = 6556.0000

What would the REGEX look like to strip out the .0000?

bwooden · ‎12-19-2011

There are a few ways to do this using the search language, one is via the rex command to extract only numbers (everything left of the decimal) in your example:

... | rex field=DAT_Version "(?<DAT_Version>\d+)"

Another way is via eval to replace the decimal and all numbers to the right of it with nothing:

... | eval DAT_Version=replace(DAT_Version,"\.\d+","")

You may also choose to write a props to have this format extracted automatically.

MTA: You can also return the floor value, via eval:

... | eval DAT_Version=floor(DAT_Version)

View solution in original post

nick405060 · ‎10-11-2018

The other three answers here answer this use case specifically, that is, if there are nothing to the right of the decimal.

Here's how strip out trailing zeroes if you know you might have significant digits to the right of the decimal (e.g. "6556.123000"):

 | rex field=myfield"^(?<myfield>[\s\S]*\.[\s\S]*?)0*$" |

shandr · ‎09-21-2023

h/t Nick

I have iterated on your idea. It stripped the decimals nicely but kept the dot when "6556.000" so I added \d.

| rex field=alert_value "^(?<myfield>[\s\S]*\.\d[\s\S]*?)0*$"

In my case, my field also contains integers:

| rex field=alert_value "^(?<keep>[^\.]+)(?<keepdot>\.{0,1})(?<keepdotdecimal>\d*?)0*$"
| eval human_value = keep . if(len(keepdotdecimal)!=0, "." . keepdotdecimal, "")

It caters for "6556" and "6,556"

Masa · ‎12-19-2011

eval DAT_Version=round(DAT_Version, 0)

bwooden · ‎12-19-2011

There are a few ways to do this using the search language, one is via the rex command to extract only numbers (everything left of the decimal) in your example:

... | rex field=DAT_Version "(?<DAT_Version>\d+)"

Another way is via eval to replace the decimal and all numbers to the right of it with nothing:

... | eval DAT_Version=replace(DAT_Version,"\.\d+","")

You may also choose to write a props to have this format extracted automatically.

MTA: You can also return the floor value, via eval:

... | eval DAT_Version=floor(DAT_Version)

Drainy · ‎12-19-2011

I'm sure there is another eval magic trick that could do it but maybe something like;

| rex field=DAT_Version "(?<Datversion>[^.]+)"

Which will capture everything up until to the period

Also, if it helps / works then don't forget to accept the answer as right by clicking on the tick to the left! it means that others with the same questions will be able to find the right answers 🙂

How to strip out trailing 0's

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation