Solved: How to use rex and ltrim to extract this field in ...

kiran331 · ‎02-16-2017

Hi,

I have a field EMP, I need to remove the 0000 present before the field, is this do able?
like, I'm using Rex and ltrim

|rex field=EMP "(?\d{5})$"|eval EMP=if (like (EMP,"0000%"),ltrim(EMP,"0000\\"),EMP)

EMP:
000012345
000000002(its removing all 0's but i need 00001)
0000ABCDEFGH

Expected output;
12345
00002
ABCDEFGH

mpreddy · ‎02-16-2017

try something like this,

|stats c |eval f="000012345,000000002,0000ABCDEFGH,100000" |eval field=split(f,",") | fields - f | mvexpand field |rex mode=sed field=field  "s/^(0000)(.*)/\2/g"

View solution in original post

aaraneta_splunk · ‎03-19-2017

@kiran331 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

woodcock · ‎02-18-2017

Like this:

.... | rex field=EMP mode=sed "s/^0000//"

DalJeanis · ‎02-16-2017

This makes test data -

| makeresults | eval EMP="000012345 0000ABC 000000002 george" | makemv EMP| mvexpand EMP

this answers the question

| eval EMP2=if (like (EMP,"0000%"),substr(EMP,5,len(EMP)-4),EMP)
| table EMP EMP2

With this result

EMP         EMP2
000012345   12345
0000ABC     ABC
000000002   00002
george      george

mpreddy · ‎02-16-2017

try something like this,

|stats c |eval f="000012345,000000002,0000ABCDEFGH,100000" |eval field=split(f,",") | fields - f | mvexpand field |rex mode=sed field=field  "s/^(0000)(.*)/\2/g"

How to use rex and ltrim to extract this field in my data?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms