Splunk Search

Replace First Two Digits

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I have a telephone number field "telnofac" with the first two digits being 44.

Could someone tell me please is there a way to replace these the 44 with a 0?

Many thanks and kind regards

Chris

0 Karma
1 Solution

gcusello
Esteemed Legend

Hi IRHM73,
two additional information:

  • do you want to replace numbers at index time or at search time?
  • do you want replace 44 with 0 or with 044?

if at index time and you want to replace 44 with 0, you have to insert in your props.conf in your sourcetype stanza (if before number there's "telnofac=")

SEDCMD-telnofac = s/telnofac\=44\d*/telnofac\=0\d*/g

(check regex!)

if you want to do this at search time and replace 44 with 0 use this command

| rex field=telnofac mode=sed "s/44\d*/0\d*/g"

or

| eval telnofac = replace(telnofac , "44\d*","0\d*")

Bye.
Giuseppe

View solution in original post

gcusello
Esteemed Legend

Hi IRHM73,
two additional information:

  • do you want to replace numbers at index time or at search time?
  • do you want replace 44 with 0 or with 044?

if at index time and you want to replace 44 with 0, you have to insert in your props.conf in your sourcetype stanza (if before number there's "telnofac=")

SEDCMD-telnofac = s/telnofac\=44\d*/telnofac\=0\d*/g

(check regex!)

if you want to do this at search time and replace 44 with 0 use this command

| rex field=telnofac mode=sed "s/44\d*/0\d*/g"

or

| eval telnofac = replace(telnofac , "44\d*","0\d*")

Bye.
Giuseppe

IRHM73
Motivator

Hi @cusello, thank you for the comprehensive reply.

I want to make the change at search time, so I used the second solution you provided but unfortunately, it didn't work with the output of the field now showing:

0\d*

Many thanks and kind regards

Chris

0 Karma

IRHM73
Motivator

Hi @cusello and all.

I was able to make a working solution using: sed "s/44/0/g"

Many thanks and kind regards

Chris

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Chris, you are aware that this will change all occurrences of 44 with 0, so if your telnofac is 4412345446789, it will result in 01234506789; probably not what you want.

I would change it to | rex field=telnofac mode=sed "s/^44/0/" to only replace the first occurrence, anchored to the beginning of the field, just to be safe.

0 Karma

IRHM73
Motivator

Hi @ssievert, that's great I hadn't realise that.

Thank you for taking the time to reply.

May I ask what the ^ does.

Many thanks and kind regards

Chris

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

"^" anchors to the beginning of the string. See here.

0 Karma

IRHM73
Motivator

Many thanks @ssievert.

Regards

Chris

0 Karma

gcusello
Esteemed Legend

try with
| replace "44*" WITH "0*" IN telnofac
instead rex command
Bye.
Giuseppe

0 Karma

IRHM73
Motivator

Thank you @cusello

Regards

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...