Solved: Replace First Two Digits

IRHM73 · ‎08-31-2017

Hi,

I wonder whether someone may be able to help me please.

I have a telephone number field "telnofac" with the first two digits being 44.

Could someone tell me please is there a way to replace these the 44 with a 0?

Many thanks and kind regards

Chris

gcusello · ‎08-31-2017

Hi IRHM73,
two additional information:

do you want to replace numbers at index time or at search time?
do you want replace 44 with 0 or with 044?

if at index time and you want to replace 44 with 0, you have to insert in your props.conf in your sourcetype stanza (if before number there's "telnofac=")

SEDCMD-telnofac = s/telnofac\=44\d*/telnofac\=0\d*/g

(check regex!)

if you want to do this at search time and replace 44 with 0 use this command

| rex field=telnofac mode=sed "s/44\d*/0\d*/g"

or

| eval telnofac = replace(telnofac , "44\d*","0\d*")

Bye.
Giuseppe

View solution in original post

gcusello · ‎08-31-2017

Hi IRHM73,
two additional information:

do you want to replace numbers at index time or at search time?
do you want replace 44 with 0 or with 044?

if at index time and you want to replace 44 with 0, you have to insert in your props.conf in your sourcetype stanza (if before number there's "telnofac=")

SEDCMD-telnofac = s/telnofac\=44\d*/telnofac\=0\d*/g

(check regex!)

if you want to do this at search time and replace 44 with 0 use this command

| rex field=telnofac mode=sed "s/44\d*/0\d*/g"

or

| eval telnofac = replace(telnofac , "44\d*","0\d*")

Bye.
Giuseppe

IRHM73 · ‎08-31-2017

Hi @cusello, thank you for the comprehensive reply.

I want to make the change at search time, so I used the second solution you provided but unfortunately, it didn't work with the output of the field now showing:

0\d*

Many thanks and kind regards

Chris

IRHM73 · ‎08-31-2017

Hi @cusello and all.

I was able to make a working solution using: sed "s/44/0/g"

Many thanks and kind regards

Chris

s2_splunk · ‎08-31-2017

Chris, you are aware that this will change all occurrences of 44 with 0, so if your telnofac is 4412345446789, it will result in 01234506789; probably not what you want.

I would change it to | rex field=telnofac mode=sed "s/^44/0/" to only replace the first occurrence, anchored to the beginning of the field, just to be safe.

IRHM73 · ‎08-31-2017

Hi @ssievert, that's great I hadn't realise that.

Thank you for taking the time to reply.

May I ask what the ^ does.

Many thanks and kind regards

Chris

s2_splunk · ‎09-01-2017

"^" anchors to the beginning of the string. See here.

IRHM73 · ‎09-03-2017

Many thanks @ssievert.

Regards

Chris

gcusello · ‎08-31-2017

try with
| replace "44*" WITH "0*" IN telnofac
instead rex command
Bye.
Giuseppe

IRHM73 · ‎08-31-2017

Thank you @cusello

Regards

Replace First Two Digits

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes