Remove Text after Numbers in Field

chrisschum · ‎08-21-2019

How can I remove everything after the zeroes in a field with results like this '000000000'

Thanks!

woodcock · ‎09-01-2019

Like this:

|  makeresults 
|  eval yourField = "00000000abcde"
|  rex field=yourField mode=sed "s/^(\d+).*$/\1/"

Sukisen1981 · ‎08-21-2019

try this

| makeresults
| eval Description="000000000</ParticipantObjectQuery></ParticipantObjectIdentificat></AuditMessage[greater than sign>"

| rex field=Description "(?<Description>\d+)"

Sukisen1981 · ‎08-21-2019

hi @chrisschum
tried the above?

somesoni2 · ‎08-21-2019

I believe you need to provide better example of values, as I don't see anything after the zeros (which portion you want to remove). If your data values are like 0000ABCand you want to change the value to 0000, then you'd do like this (in search)

..| eval fieldnamehere=replace(fieldnamehere,"^(0+)(.+)", "\1")

OR

..| rex field=fieldnamehere mode=sed "s/^(0+)(.+)/\1/"

chrisschum · ‎08-21-2019

It took off the full result field because it has a less than and greater than sign

000000000([less than sign]/ParticipantObjectQuery[greater than sign][less than sign]/ParticipantObjectIdentification[greater than sign][less than sign]/AuditMessage[greater than sign]"

Remove Text after Numbers in Field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!