Dashboards & Visualizations

How to replace dynamic field values?

kallisrayar1986
Path Finder

I have a field (Details) with the below values which is an output of stats command:

Details:

values(XXX)
values(YYY)

i want to replace the above with XXX and YYY, basically i want to trim values( and ).

If i try "replace values(XXX) with XXX in Details" it works fine but the XXX and YYY will be keep changing based on my search and it is going to be dynamic.

Please help.

1 Solution

ramdaspr
Contributor

If I understood the question correctly, you can use eval trim to remove the static characters.
so that would be

your query here | eval Details=trim(Details,"values(") | eval Details=trim(Details,")")

View solution in original post

ramdaspr
Contributor

If I understood the question correctly, you can use eval trim to remove the static characters.
so that would be

your query here | eval Details=trim(Details,"values(") | eval Details=trim(Details,")")

ramdaspr
Contributor
... | rex field=Details mode=sed "s/^values\(//" | rex field=Details mode=sed "s/\)$//"

Lets see if rex does it this time. I tried it locally with single strings and it seems to work ok.

kallisrayar1986
Path Finder

hi, it worked fine this time.. thank you..!! 🙂

0 Karma

ramdaspr
Contributor

No worries. But you have to note that it isnt the perfect solution either since it will replace any field value which has a ")" at the end even if it doesnt start with "values(".

Unfortunately my regex skills are lacking so you might want to check if there is a better regex option.

0 Karma

kallisrayar1986
Path Finder

It is a tranpose results set, the column name is Details: the values are as follows -

Details

test_id
iter
appver
Scenario
Version
requests_count_total
values(aaa)
values(bbb)
values(ccc)
values(ddd)
values(eee)
values(fff)

0 Karma

kallisrayar1986
Path Finder

Thank you, but the above query trims every field even if it does not contain values(), any other suggestion?

0 Karma

ramdaspr
Contributor

Can you provide a sizable sample of what your data column looks like?
The trim command should ideally work only if a match is present so I am not sure what dataset its processing which is causing this issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...