Remove Text after Numbers in Field

chrisschum · ‎08-21-2019

How can I remove everything after the zeroes in a field with results like this '000000000'

Thanks!

woodcock · ‎09-01-2019

Like this:

|  makeresults 
|  eval yourField = "00000000abcde"
|  rex field=yourField mode=sed "s/^(\d+).*$/\1/"

Sukisen1981 · ‎08-21-2019

try this

| makeresults
| eval Description="000000000</ParticipantObjectQuery></ParticipantObjectIdentificat></AuditMessage[greater than sign>"

| rex field=Description "(?<Description>\d+)"

Sukisen1981 · ‎08-21-2019

hi @chrisschum
tried the above?

somesoni2 · ‎08-21-2019

I believe you need to provide better example of values, as I don't see anything after the zeros (which portion you want to remove). If your data values are like 0000ABCand you want to change the value to 0000, then you'd do like this (in search)

..| eval fieldnamehere=replace(fieldnamehere,"^(0+)(.+)", "\1")

OR

..| rex field=fieldnamehere mode=sed "s/^(0+)(.+)/\1/"

chrisschum · ‎08-21-2019

It took off the full result field because it has a less than and greater than sign

000000000([less than sign]/ParticipantObjectQuery[greater than sign][less than sign]/ParticipantObjectIdentification[greater than sign][less than sign]/AuditMessage[greater than sign]"

Remove Text after Numbers in Field

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World

Are you a member of the Splunk Community?

Remove Text after Numbers in Field

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World