Splunk Search

Trimming last 8-9 chars from string

jugarugabi
Path Finder

Hello all, 

I am having the following list:

1ais-notification-service-tm-nft-27-9gv6s642dk0332-e
2ais-notification-service-tm-nft-2-snfhl642dk0332-e
3ais-replay-notification-service-tm-nft-3-5n876642dk0332-e
4ais-replay-notification-service-tm-nft-34-l4ks2278dk0332-e
5ais-replay-notification-service-tm-nft-30-vnh9s364dk0332-e

 

I need to have the following output:

1ais-notification-service-tm-nft642dk0332-e
2ais-notification-service-tm-nft642dk0332-e
3ais-replay-notification-service-tm-nft642dk0332-e
4ais-replay-notification-service-tm-nft278dk0332-e
5ais-replay-notification-service-tm-nft364dk0332-e

 

While I do know how to trim the last characters using evaluation below:

<search string> | eval pod = substr(pod, 1, len(pod)-8)

it doesn't trim them the way I want (because some of the services are being displayed with one more char). How can I make this trimming dynamic, so it automatically trims the extra chars when they're found?

Thanks!

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| rex mode=sed field=pod "s/\-\w+\-\w+$//g"

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @jugarugabi,

Please try below;

| rex field=pod "(?<pod>.+)-\d*-"
If this reply helps you an upvote and "Accept as Solution" is appreciated.

jugarugabi
Path Finder

Looks like this one produces the needed output as well as the solution provided by @ITWhisperer 

Thanks, I upvoted this solution as well. 

0 Karma

tread_splunk
Splunk Employee
Splunk Employee

Did you try ...

<Your Search> | rex field=pod "(?<newpod>.*)-.*-.*"

tread_splunk
Splunk Employee
Splunk Employee

Not my strength, so I look forward with eagerness to someone suggesting the optimum regex, but you want the rex command.  If you haven't explored regex before, welcome to an interesting chapter in your life.  Well worth persevering with for Splunk and beyond.  I'm certain my regex string is sub-optimal so use it with caution.  In essence, the rex command says, from the field called pod, capture, into a new field called newpod, all the characters until you get to a hyphen followed by any number of any character (.*) followed by a second hyphen and then any number of any character again before the $ sign denotes end of string.  One more time, I'm often blown away by how a good regex'er can write an elegant solution and how easy it is to write regex which doesn't cater for every eventuality.  But hopefully this gets you pointed in the right direction.   Always learning!

| rex field=pod "(?<newpod>.*)-.*-.*"

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps sed can do it.

<search string> | rex mode=sed field=pod "s/nft-.*/nft/"
---
If this reply helps you, Karma would be appreciated.
0 Karma

jugarugabi
Path Finder

Unfortunately, not all of the pods will end in "nft" as names. These items were just an example. 

It would've helped if they were finishing in this way, and it was ideal... but the people who created the services haven't used a naming convention for each service so that'd help me...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval pod = trim(substr(pod, -8),"-")
0 Karma

jugarugabi
Path Finder

Using this, it displays only what has been trimmed from the string. By the looks of it, it removes the things I don't need - which is ok. 

121-cljcpdk0766-c

 

The desired output should be: 

1ais-notification-service-tm-nft-dk0766-c
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval pod = rtrim(substr(pod, -8),"-")
0 Karma

jugarugabi
Path Finder

Well, it looks like it has the same output even with rtrim...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Seems a little odd that rtrim doesn't remove the trailing "-"! - try rex to remove it?

| eval pod = substr(pod, -8)
| rex field=pod mode=sed "s/-$//g"

 

0 Karma

jugarugabi
Path Finder

Still shows the output: 

1

21-cljcp

2

21-9zr5k

3

-2-plkzb

4

-2-qcq62

 

 Instead of following output:

1

ais-notification-service-tm-nft

2

ais-notification-service-tm-nft

3

ais-replay-notification-service-tm-nft

4

ais-replay-notification-service-tm-nft

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, messed up the substr, Try this

| eval pod = rtrim(substr(pod, 1, -8),"-")
0 Karma

jugarugabi
Path Finder

The output, using eval pod = rtrim(substr(pod, 1, -8),"-") is not showing anything for the pod anymore 

1 dk0766-c
2 dk0766-c
3 dk0766-c
4 dk0766-c
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry I am getting confused - this might be better

| eval pod = rtrim(substr(pod, 1, len(pod)-8),"-")
0 Karma

jugarugabi
Path Finder

Unfortunately this didnt helped... 

I still seem to be getting some services with -2, -8, -1 etc... 

If I am changing the the length and make it to -9:

| eval pod = rtrim(substr(pod, 1, len(pod)-9),"-")

Some of the services that were showing up OK in the past will one more char trimmed (which is not something that's helping out). 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| rex mode=sed field=pod "s/\-\w+\-\w+$//g"

jugarugabi
Path Finder

Sir, hats off to you for helping out!

This did the trick!

Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...