Is there anything like the UNIX tr command in splunk?
In one data source I have phone numbers like (800) 555-4444 and in another data source the phone numbers are formatted like 800-555-4444. I would like to do a join between these two data sources on the phone number but cannot as they do not match.
It could look like this:
echo "(800) 555-4444" | tr -d "()" | tr " " -
outputs 800-555-4444
So other than using sed, awk or tr on the data before it gets to splunk can this be done on the fly?
You could have a look at these section in the manual for making the changes before indexing
http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Anonymizedatausingconfigurationfiles
or you can do it at search time with combinations of eval
and rex
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
Hope this helps,
Kristian
This worked well
| rex mode=sed "s/(/""/g" | rex mode=sed "s/ ) /"-"/g"
It converted (888) 555-4444 to 888-555-4444
Probably be faster in transforms.conf.
Now, does it really work for a join?
Thanks!
That helps. I am going to try something like this
| rex mode=sed "s/(/""/g" | rex mode=sed "s/) /"-"/g"
Will update here if it works!