Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to trim zeros from event contents?

uagraw01
Motivator
‎03-12-2023 05:37 AM

Hello Splunkers!!

 

I have below value 

S000081(=00003102+LCC000060-0000550S00003)

I want to replace above value with

S81(=3102+LCC60-550S3)

Means wherever digit 0 is four times I want to remove those digits.

 

thanks in advance

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-12-2023 07:07 PM

@PickleRick and @ITWhisperer both made valid points.  You can improve readability by using a semantic expression:

| rex mode=sed "s/0{4}//g" ``` works in _raw events ```

or if the data is already in a named field as your code suggests,

| eval element=replace(element,"0{4}","")

 

Reply

uagraw01
Motivator
‎03-13-2023 01:55 AM

@yuanliu Let me try this solution also. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-13-2023 01:07 AM

Yours is not equivalent to mine 😉

Mine cuts any two or more zeros (might be expressed as 0{2,}), yours cuts exactly four zeros. Similar but different. In this case of course both will work since the OP's original event contained sequences of four zeros but in general case one might be better than the other (depending on the case).

Reply

uagraw01
Motivator
‎03-13-2023 01:55 AM

@PickleRick Yes you are right. That is also working for me.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-12-2023 06:41 AM 
| eval _raw=replace(_raw, "0000", "")
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-12-2023 06:34 AM

In order to remove strings consiting of more than one consecutive zero (because that's what it seems you want to do  - you didn't specify it more precisely), you can do

| rex mode=sed "s/00+//g

One caveat though - if you have fields extracted from this event, it won't trim contents of those events unless you manually do the same with each field's contents. So that might not be what you really need.

0 Karma
Reply

uagraw01
Motivator
‎03-12-2023 06:39 AM

@PickleRick  Not sed mode is not working. But I have tried the below one and it is working fine.

 

| eval element=replace(element,"0000","")

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-12-2023 06:41 AM

Your eval works on a single field, not on raw event's contents. rex with sed mode should work in such case as well, you just have to point it to work on that field, not on a _raw message. But if replace works for you, that's great.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...