Solved: Re: Why does the trim function not work on numeric...

anantdeshpande · ‎12-15-2016

Hi,
We have a column where value can be string, alphanumeric, numeric, and with/without spaces before and after it.
Trim function works perfect for string, alphanumeric values with or without spaces. It also works when value is numeric with space.
However, when value is numeric and without any space, it displays in exponential format.

Trim works when data is like: "G12345", "G98765 ", "UPHAV", OUGNJGF ", "67537658 "

Trim displays in exponential when data is like: "98753567" (Number without space) displays like (1.49554e+09).

1) Is there any alternative to trim, which is generic and satisfies all above condition?
2) Can we have any if condition to find out a value which is numeric but without any space before and after it?

anantdeshpande · ‎12-20-2016

Hi all, Thanks for the comments. TRIM function on number without space in Splunk 6.2.0 is not working for us.
However cust_id=replace(cust_id, " ","") [there is space between first double cote] is working perfectly for all data with or without space.

View solution in original post

anantdeshpande · ‎12-20-2016

Hi all, Thanks for the comments. TRIM function on number without space in Splunk 6.2.0 is not working for us.
However cust_id=replace(cust_id, " ","") [there is space between first double cote] is working perfectly for all data with or without space.

nekbote · ‎12-15-2016

your spl does give exponential error in 6.2.2...

You can try appending space in your evail and then continue to use trim...this will ensure numric value with no space gets a space and your trim continues to work..below SPL works just fine

index=_internal sourcetype=splunkd | eval CUST_ID=1234567 |eval CUST_ID=CUST_ID." "| eval NEW_CUST_ID=trim(CUST_ID) | table NEW_CUST_ID

nekbote · ‎12-15-2016

with one less eval compared to previous one..
index=_internal sourcetype=splunkd | eval CUST_ID=12345678910 | eval NEW_CUST_ID=trim(CUST_ID." ") | table NEW_CUST_ID

niketn · ‎12-15-2016

How about when you convert from number to string?

   <your base search> | eval a=tostring(a) | eval b=trim(a)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway · ‎12-15-2016

Which version of Splunk are you using? What is your SPL? I can't reproduce this in 6.5.1.

---
If this reply helps you, Karma would be appreciated.

tkomatsubara_sp · ‎12-15-2016

| makeresults |eval a=98753567 | eval b=trim(a)

What do you mean?

This example shows no problem.

anantdeshpande · ‎12-15-2016

I am using Splunk 6.2
| makeresults |eval a=98753567 | eval b=trim(a) - using same in 6.2 is not working

Can anyone try and let us know if thats the limitation in 6.2

somesoni2 · ‎12-15-2016

The command makeresults is available only on 6.3.x and above. I've tried similar search (below) on 6.2.6 and 6.2.12 it works just fine.

| gentimes start=-1  |eval a=98753567 | table a | eval b=trim(a)

anantdeshpande · ‎12-15-2016

Sorry, I am not using makeresults. My query looks like below:
Index=abc sourcetype=xyz | eval CUST_ID=123456 | eval NEW_CUST_ID=trim(CUST_ID)

somesoni2 · ‎12-15-2016

Would you be able to post a screenshot of the search result? Something similar works just fine for me on 6.2.6.

index=_internal sourcetype=splunkd | eval CUST_ID=123456 | eval NEW_CUST_ID=trim(CUST_ID)

anantdeshpande · ‎12-15-2016

Hi,
Looks like issue is when digits are more than 6 digits. works when CUST_ID is 123456 but gives exponential when CUST_ID is 1234567 . Please try on Splunk 6.2 .

index=_internal sourcetype=splunkd | eval CUST_ID=1234567 | eval NEW_CUST_ID=trim(CUST_ID)

anantdeshpande · ‎12-15-2016

also, our Splunk is 6.2.0

Why does the trim function not work on numeric values without spaces?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?