Solved: Need help normalizing a field's contents for displ...

DaClyde · ‎09-20-2016

I'm extracting a piece of a filename to create a field using makemv and a rex command. The extracted field should be formatted like 89-02687, but sometimes occurs as 8902687. I want all of my output to show the proper formatting, so all the results have the XX-XXXXX format.

Could I use a tostring statement and a regex or a replace command to somehow insert the hyphen into any results that don't have it after the second digit?

richgalloway · ‎09-20-2016

You should be able to do it with rex.

... | rex mode=sed field=foo "s/(\d{2})(\d{5})/\1-\2/" | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-20-2016

You should be able to do it with rex.

... | rex mode=sed field=foo "s/(\d{2})(\d{5})/\1-\2/" | ...

---
If this reply helps you, Karma would be appreciated.

DaClyde · ‎09-20-2016

Here's where I put the line:

| rex field=filename "(?:[^.\n]*.){2}(?P<RDFTAIL>[^.]+)" 
| stats sum(filesize) as Bytes by cbmfolder,RDFTAIL,Date
| eval MB = Bytes/1024/1024 
| eval MB=round(MB,1) 
| rex mode=sed field=RDFTAIL "s/(\d{2})(\d{5})/\1-\2"

But I get this error:

⚠ Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

richgalloway · ‎09-20-2016

I forgot to close the sed string. See the revised answer.

---
If this reply helps you, Karma would be appreciated.

DaClyde · ‎09-20-2016

Ah, beautiful, works perfectly. Thanks!

Need help normalizing a field's contents for display

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor