Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help normalizing a field's contents for display

DaClyde
Contributor
‎09-20-2016 11:21 AM

I'm extracting a piece of a filename to create a field using makemv and a rex command. The extracted field should be formatted like 89-02687, but sometimes occurs as 8902687. I want all of my output to show the proper formatting, so all the results have the XX-XXXXX format.

Could I use a tostring statement and a regex or a replace command to somehow insert the hyphen into any results that don't have it after the second digit?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2016 11:33 AM

You should be able to do it with rex.

... | rex mode=sed field=foo "s/(\d{2})(\d{5})/\1-\2/" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2016 11:33 AM

You should be able to do it with rex.

... | rex mode=sed field=foo "s/(\d{2})(\d{5})/\1-\2/" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

DaClyde
Contributor
‎09-20-2016 11:40 AM

Here's where I put the line:

| rex field=filename "(?:[^.\n]*.){2}(?P<RDFTAIL>[^.]+)" 
| stats sum(filesize) as Bytes by cbmfolder,RDFTAIL,Date
| eval MB = Bytes/1024/1024 
| eval MB=round(MB,1) 
| rex mode=sed field=RDFTAIL "s/(\d{2})(\d{5})/\1-\2"

But I get this error:

⚠ Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2016 11:43 AM

I forgot to close the sed string. See the revised answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

DaClyde
Contributor
‎09-20-2016 11:44 AM

Ah, beautiful, works perfectly. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...