Re: Remove Text after Numbers in Field

chrisschum · ‎08-21-2019

How can I remove everything after the zeroes in a field with results like this '000000000'

Thanks!

woodcock · ‎09-01-2019

Like this:

|  makeresults 
|  eval yourField = "00000000abcde"
|  rex field=yourField mode=sed "s/^(\d+).*$/\1/"

Sukisen1981 · ‎08-21-2019

try this

| makeresults
| eval Description="000000000</ParticipantObjectQuery></ParticipantObjectIdentificat></AuditMessage[greater than sign>"

| rex field=Description "(?<Description>\d+)"

Sukisen1981 · ‎08-21-2019

hi @chrisschum
tried the above?

somesoni2 · ‎08-21-2019

I believe you need to provide better example of values, as I don't see anything after the zeros (which portion you want to remove). If your data values are like 0000ABCand you want to change the value to 0000, then you'd do like this (in search)

..| eval fieldnamehere=replace(fieldnamehere,"^(0+)(.+)", "\1")

OR

..| rex field=fieldnamehere mode=sed "s/^(0+)(.+)/\1/"

chrisschum · ‎08-21-2019

It took off the full result field because it has a less than and greater than sign

000000000([less than sign]/ParticipantObjectQuery[greater than sign][less than sign]/ParticipantObjectIdentification[greater than sign][less than sign]/AuditMessage[greater than sign]"

Remove Text after Numbers in Field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation