Splunk Search

How to use rex and ltrim to extract this field in my data?

Builder

Hi,

I have a field EMP, I need to remove the 0000 present before the field, is this do able?
like, I'm using Rex and ltrim

|rex field=EMP "(?\d{5})$"|eval EMP=if (like (EMP,"0000%"),ltrim(EMP,"0000\\"),EMP)

EMP:
000012345
000000002(its removing all 0's but i need 00001)
0000ABCDEFGH

Expected output;
12345
00002
ABCDEFGH

0 Karma
1 Solution

Communicator

try something like this,

|stats c |eval f="000012345,000000002,0000ABCDEFGH,100000" |eval field=split(f,",") | fields - f | mvexpand field |rex mode=sed field=field  "s/^(0000)(.*)/\2/g"

View solution in original post

Splunk Employee
Splunk Employee

@kiran331 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

Esteemed Legend

Like this:

.... | rex field=EMP mode=sed "s/^0000//"
0 Karma

SplunkTrust
SplunkTrust

This makes test data -

| makeresults | eval EMP="000012345 0000ABC 000000002 george" | makemv EMP| mvexpand EMP 

this answers the question

| eval EMP2=if (like (EMP,"0000%"),substr(EMP,5,len(EMP)-4),EMP)
| table EMP EMP2 

With this result

EMP         EMP2
000012345   12345
0000ABC     ABC
000000002   00002
george      george
0 Karma

Communicator

try something like this,

|stats c |eval f="000012345,000000002,0000ABCDEFGH,100000" |eval field=split(f,",") | fields - f | mvexpand field |rex mode=sed field=field  "s/^(0000)(.*)/\2/g"

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!