Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The "ltrim" problem

sajalbansal2
Explorer
‎06-17-2022 10:55 PM

Hi Everyone,

There's a small problem I'm having while using the ltrim function.

Query:

| makeresults
| eval username="dev_vishal"
| eval trimName=ltrim(username,"dev_")
| table username trimName

Output:
username = dev_vishal
trimName = ishal

What I really want is to trim the "dev_" out of "dev_vishal". I noticed that this works well with any other username which does not start with a "v". For example:

Query:

| makeresults
| eval username="dev_sajal"
| eval trimName=ltrim(username,"dev_")
| table username trimName



Output:
username = dev_sajal
trimName = sajal

Request the Splunk community to please help me with this.

Thanks,
Sajal

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 11:19 PM

ltrim() is removing any of those characters from the left - you would have the same issue with ltrim("e_vd",...) or with "dev_david". Try this instead

| rex field=username "^dev_(?<trimName>.*)"

View solution in original post

Reply
Solved! Jump to solution

sajalbansal2
Explorer
‎06-30-2022 05:46 AM

@ITWhisperer , many thanks for providing a quick solution. Apologies for my late reply.

What I used to solve the problem was slightly different but definitely lengthy (in terms of functions, commands used). See below example for my solution:

| makeresults
| eval username="dev_vishal"
| eval devFlag=if(match(username,".*dev_*."),1,0), tempName=split(username,"_")
| eval newUsername = if(devFlag=1,mvindex(tempName,1),username)
| table username newUsername

Output:
username = dev_vishal
newUsername = vishal

Problem is, now I'm receiving some logs where usernames are a bit different such as, USER_sajal, temp_sajal etc. So to handle that, I would use your suggestion above i.e the "rex" command. See below example:

| eval username="dev_vishal"
| rex field=username "\w+_(?<newUsername>.*)"

In this way it would work for all kinds of usernames. Be it dev_vishal, USER_sajal or temp_sajal etc.

Thanks,
Sajal

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 11:19 PM

ltrim() is removing any of those characters from the left - you would have the same issue with ltrim("e_vd",...) or with "dev_david". Try this instead

| rex field=username "^dev_(?<trimName>.*)"
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...