Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Nested Field Extraction

dahlberg
New Member
‎03-18-2019 11:44 AM

I'm working with following REGEX and event lines:

https://regex101.com/r/YsuMHk/1

I plan to use the regex in an inline field extraction, but as you can see from the extracted fields both the "calling_num" value and the dialed_num value can potentially be prepended with spaces. How would I go about removing those leading spaces once the value has already been extracted within an inline field extraction?

Thanks,
Mike

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎03-18-2019 12:13 PM

You could use ltrim function of eval to trim leading spaces.

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/TextFunctions#ltrim.28X.2CY.29

0 Karma
Reply

dahlberg
New Member
‎03-18-2019 12:33 PM

Ok, but I was kinda hoping to trim the leading spaces before I dealt with it in the Search App.

Mike

0 Karma
Reply

somesoni2
Revered Legend
‎03-18-2019 01:16 PM

I don't think I know a way to trim the spaces during field extractions regex itself. You're saving the field extractions (in props.conf OR in Settings->Fields->Field extractions), not doing inline in search?? You would be able to created calculated fields where you can do that eval-trim operation. This way your data users will not have to do it in the search.
https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Searchtimeoperationssequence#Search-tim...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...