Eval ltrim forward slash oddity

alnapp · ‎08-13-2012

Hi, Sure I'm missing something obvious, but:

Raw data has field "SourceName" which is looks like this: api.internal.local/XXXXXXXXX

where XXXXXXX is an API's name

I'm using:
eval API=ltrim(SourceName, "api.internal.local/")

and am getting odd results

some SourceName are behaving as I expect e.g. "api.internal.local/ServerStat" gives me "ServerStat"

but "api.internal.local/inform" gives me "nform"

The only thing I've spotted is the correctly returning values start with an upper-case "S" all others are lowercase

If I miss the slash of the end of the ltrim then all fields are evaluated to "/XXXXXXXX" as you might expect

Any suggestions as to cause, and advise on grabbing what I want would be very gratefully received?

ziegfried · ‎08-13-2012

I think ltrim is not applicable for your use-case as ltrim(X,Y) will remove all characters in Y from the left handside of X. Using the replace function is probably the best way to go:

... | eval  API=replace(SourceName,"ˆapi\.internal\.local/","")

To clarify: ltrim removes any characters given in the second argument from the left handside of the first argument. So not the exact sequence of Y is removed from X, but any character from Y is removed from X until it reaches a character Y doesn't contain. So ltrim(somefield,"AB") is exactly the same as ltrim(somefield,"BA") and is the same as ltrim(somefield,"ABBA").

Eval ltrim forward slash oddity

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!