Splunk Search

The "ltrim" problem

sajalbansal2
Explorer

Hi Everyone,

There's a small problem I'm having while using the ltrim function.

Query:

| makeresults
| eval username="dev_vishal"
| eval trimName=ltrim(username,"dev_")
| table username trimName

Output:
username = dev_vishal
trimName = ishal

What I really want is to trim the "dev_" out of "dev_vishal". I noticed that this works well with any other username which does not start with a "v". For example:

Query:

| makeresults
| eval username="dev_sajal"
| eval trimName=ltrim(username,"dev_")
| table username trimName



Output:
username = dev_sajal
trimName = sajal

Request the Splunk community to please help me with this.

Thanks,
Sajal

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

ltrim() is removing any of those characters from the left - you would have the same issue with ltrim("e_vd",...) or with "dev_david". Try this instead

| rex field=username "^dev_(?<trimName>.*)"

View solution in original post

sajalbansal2
Explorer

@ITWhisperer , many thanks for providing a quick solution. Apologies for my late reply.

What I used to solve the problem was slightly different but definitely lengthy (in terms of functions, commands used). See below example for my solution:

| makeresults
| eval username="dev_vishal"
| eval devFlag=if(match(username,".*dev_*."),1,0), tempName=split(username,"_")
| eval newUsername = if(devFlag=1,mvindex(tempName,1),username)
| table username newUsername

Output:
username = dev_vishal
newUsername = vishal

Problem is, now I'm receiving some logs where usernames are a bit different such as, USER_sajal, temp_sajal etc. So to handle that, I would use your suggestion above i.e the "rex" command. See below example:

| eval username="dev_vishal"
| rex field=username "\w+_(?<newUsername>.*)"

In this way it would work for all kinds of usernames. Be it dev_vishal, USER_sajal or temp_sajal etc.

Thanks,
Sajal

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

ltrim() is removing any of those characters from the left - you would have the same issue with ltrim("e_vd",...) or with "dev_david". Try this instead

| rex field=username "^dev_(?<trimName>.*)"
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...