Splunk Search

How to remove numbers from events at search time?

rajgowd1
Communicator

Hi,
i have endpoints which are extracted from the log message and some end points are with numbers at the end.
can we replace those last digits with *

here is the extracted field and values

uri = private/credentials/products/CCSID/1001111335764
uri=private/credentials/products/CCSID/1001111336914

can we display like below

uri = private/credentials/products/CCSID/*
uri=private/credentials/products/CCSID/*

Tags (1)
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

... | rex mode=sed "s/\d|\}//g"

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Why not try this? This does exactly what your looking for

0 Karma

nabeel652
Builder

Yes, If you are sure that there will always be a number at the end:

... your search | rex field=uri "(?<uri>.*\/)\d+$" | ... 

or if you are not sure about the last part after "/":

... your search | rex field=uri "(?<uri>.*\/).*$" | ...

rajgowd1
Communicator

thank you.
few of the endpoints are having number at the end.so would need to remove number from few of the end points.

0 Karma

nabeel652
Builder

So if the url ends with digits you want to ignore them but if it ends with Alpha-numeric values you want to leave them as is? Also, is CCSID something that repeats in every url at the same place? If you could send few possible variations of url string it would be easier. Cheers

0 Karma

rajgowd1
Communicator

YES,if the endpoint ends with digit then i want to ignore digit or replace digit with *.

if there any alpha-numeric then i want to leave as is.

CCSID repeats in url at the same place.

0 Karma

nabeel652
Builder

Try

| rex field=uri "(?<uri>.*[^\d])" 

will extract a uri that doesn't end with digits or ignore the digits if it ends with digits.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...