Solved: How can I edit field values?

TNRRVN93 · ‎10-08-2017

Hello together,

I have the field Vegetables with 5 field values. The field values are cucumber, tomato, onion, carrot and potato.
When I am clicking to the field in the fields sidebar, the field values are displayed with a slash (/) - such as carrot/. And as well in the pie chart.
I want to represent the values without the slash in the pie chart.

That is my search:
sourcetype="notrelevant" | chart count by Vegetables

I have already looked in the documentation and in other questions, but unfortunately I could not find a solution.
Could you please help me?

Thanks in advance!

493669 · ‎10-08-2017

Use below rex command-

sourcetype="notrelevant" |rex field=Vegetables "(?<Vegetables>\w+)"| chart count by Vegetables

It will work.

View solution in original post

493669 · ‎10-08-2017

Use below rex command-

sourcetype="notrelevant" |rex field=Vegetables "(?<Vegetables>\w+)"| chart count by Vegetables

It will work.

TNRRVN93 · ‎10-08-2017

Hello 493669,

thank you very much!

Do you know, how can I represent the values in upper case?
Thanks in advance.

493669 · ‎10-08-2017

Use Below:
eval Vegetables=upper(Vegetables)

niketn · ‎10-08-2017

[Edit] Added Option 4 rtrim()

PS: It is better to apply the rex after the chart command if it is just for massaging the results as per the need. even the eval to perform upper case.

sourcetype="notrelevant" 
| chart count by Vegetables
| rex field=Vegetables "(?<Vegetables>[^/]+)/"
| eval Vegetables=upper(Vegetables)

@TNRRVN93, seems like your Vegetables have an additional forward slash character / in the end which you need to remove.
There can be several ways of doing this like using rex command or replace() evaluation function. Try any of the following approach by appending to your existing chart command.

Option 1) Using replace() with regular expression:

| eval Vegetables=replace(Vegetables,"(.*)(/)$","\1")

Option 2) Using replace() with character to replace:

| eval Vegetables=replace(Vegetables,"/","")

Option 3) Using rex command with Regular Expression:

| rex field=Vegetables "(?<Vegetables>[^/]+)/"

Option 4: Using rtrim() to remove forward slash from end.

| eval Vegetables=rtrim(Vegetables,"/")

Following is a run-anywhere search to generate some sample data and one of the options to replace forward slash.

| makeresults
| eval Vegetables="potato/",count="37"
| append [| makeresults
| eval Vegetables="tomato/",count="53"]
| append [| makeresults
| eval Vegetables="carrot/",count="13"]
| append [| makeresults
| eval Vegetables="spinach/",count="25"]
| table Vegetables count
| eval Vegetables=replace(Vegetables,"(.*)(/)$","\1")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cpetterborg · ‎10-08-2017

If the values of Vegetables has the slash at the end, you should be able to use the following in your search:

... | rex mode=sed field=Vegetables "s#/$##" | ...

niketn · ‎10-08-2017

@cpetterborg, luckily you have mentioned the alternate rex with sed that I missed! You are truly beyond "regular" regular expressions!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How can I edit field values?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!