Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to strip out trailing 0's

efelder0
Communicator
‎12-19-2011 12:46 PM

I have a field in my output that contains the following values: DAT_Version = 6556.0000

What would the REGEX look like to strip out the .0000?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎12-19-2011 01:03 PM

There are a few ways to do this using the search language, one is via the rex command to extract only numbers (everything left of the decimal) in your example:

... | rex field=DAT_Version "(?<DAT_Version>\d+)"

Another way is via eval to replace the decimal and all numbers to the right of it with nothing:

... | eval DAT_Version=replace(DAT_Version,"\.\d+","")

You may also choose to write a props to have this format extracted automatically.

MTA: You can also return the floor value, via eval:

... | eval DAT_Version=floor(DAT_Version)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎10-11-2018 09:54 AM

The other three answers here answer this use case specifically, that is, if there are nothing to the right of the decimal.

Here's how strip out trailing zeroes if you know you might have significant digits to the right of the decimal (e.g. "6556.123000"):

 | rex field=myfield"^(?<myfield>[\s\S]*\.[\s\S]*?)0*$" |
Reply
Solved! Jump to solution

shandr
Path Finder
‎09-21-2023 11:17 PM

h/t Nick

I have iterated on your idea. It stripped the decimals nicely but kept the dot when "6556.000" so I added \d.

| rex field=alert_value "^(?<myfield>[\s\S]*\.\d[\s\S]*?)0*$"


In my case, my field also contains integers:

| rex field=alert_value "^(?<keep>[^\.]+)(?<keepdot>\.{0,1})(?<keepdotdecimal>\d*?)0*$"
| eval human_value = keep . if(len(keepdotdecimal)!=0, "." . keepdotdecimal, "")

It caters for "6556" and "6,556"

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎12-19-2011 01:41 PM

eval DAT_Version=round(DAT_Version, 0)

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎12-19-2011 01:03 PM

There are a few ways to do this using the search language, one is via the rex command to extract only numbers (everything left of the decimal) in your example:

... | rex field=DAT_Version "(?<DAT_Version>\d+)"

Another way is via eval to replace the decimal and all numbers to the right of it with nothing:

... | eval DAT_Version=replace(DAT_Version,"\.\d+","")

You may also choose to write a props to have this format extracted automatically.

MTA: You can also return the floor value, via eval:

... | eval DAT_Version=floor(DAT_Version)
0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎12-19-2011 12:57 PM

I'm sure there is another eval magic trick that could do it but maybe something like;

| rex field=DAT_Version "(?<Datversion>[^.]+)"

Which will capture everything up until to the period

Also, if it helps / works then don't forget to accept the answer as right by clicking on the tick to the left! it means that others with the same questions will be able to find the right answers 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...