Splunk Search

How can I remove colons in a field value

superhm
Explorer

Hi there,

I wanna remove colons in a field value like a MAC Address.

I have a field MAC like mac="E8:11:32:31:33:BA", but I want to remove colons to get mac="E811323133BA"

How can I do it?

Thanks,

1 Solution

DalJeanis
SplunkTrust
SplunkTrust

I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.

| makeresults 
| eval mac="E8:11:32:31:33:BA" 
| eval newmac1=mac, newmac2=mac, newmac3=mac
| eval newmac1=replace (newmac1,":","")
| replace "*:*" with "**" in newmac2
| rex field=newmac3 mode=sed "s/://g" 
| table mac, newmac1, newmac2, newmac3

...results in...

mac                newmac1       newmac2           newmac3           
E8:11:32:31:33:BA  E811323133BA  E811:32:31:33:BA  E811323133BA  

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.

| makeresults 
| eval mac="E8:11:32:31:33:BA" 
| eval newmac1=mac, newmac2=mac, newmac3=mac
| eval newmac1=replace (newmac1,":","")
| replace "*:*" with "**" in newmac2
| rex field=newmac3 mode=sed "s/://g" 
| table mac, newmac1, newmac2, newmac3

...results in...

mac                newmac1       newmac2           newmac3           
E8:11:32:31:33:BA  E811323133BA  E811:32:31:33:BA  E811323133BA  
0 Karma

jtrujillo
Path Finder

I downvoted this post because doesnt eloquently answer the question. not that it doesnt answer the question... just the only thing they needed was:

| eval newmac1=replace (mac,":","")
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@jtrujillo - Please reread my answer. Only line 6 in mine is needed, which is why my answer starts off with "I'd use rex in mode=sed (see newmac3 code below)."

I may occasionally use a few more words than other people, but when I do it's usually intended to teach. The rest is there to demonstrate that the rex mode=sed and the replace method (that you liked) both work, using run-anywhere code that anyone can run to verify for themselves, and also posting the output from the entire search.

Line 4 demonstrates that @richgalloway's method works correctly.
Line 5 demonstrates that @MOberschelp's method only removes the first colon.
Line 6 demonstrates that my way works correctly.

Please also read the comment on my answer by the original poster.

0 Karma

superhm
Explorer

Wow, Thank you very much DalJeanis.
You have been a great help to me.
Thanks again.

richgalloway
SplunkTrust
SplunkTrust

Try eval mac=replace (mac,":","").

---
If this reply helps you, Karma would be appreciated.

superhm
Explorer

Thank you richgalloway. it works that I want.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Please make sure and upvote the helpful ones that work!

0 Karma

MOberschelp
Explorer

I think the replace command should help.. try:

| replace "*:*" with "**" in [FIELDNAME]
0 Karma

superhm
Explorer

Thank you for your comment.
It work for the first colon. : )

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This method would only work for the first colon. See the test results in my answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...