- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I remove a part of a string?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is there an eval command that will remove the last part of a string.
For example:
"Installed - 5%" will be come "Installed"
"Not Installed - 95%" will become "Not Installed"
Basically remove " - *%" from a string
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @baty0
try like this
|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a use case where i need to pass the previously performed search query to replace the part of message with empty string.
environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="*Data = *"| eval message=replace(message," Data = ","")
The above message in turn obtained must be used to do another operation.
But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is.
I need to do this asap. can u pls provide a solution ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@d942725 Please post a new question.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can use the eval replace() function to replace the " - ##%" values with regex as follows:
| makeresults
| eval foo = "Installed - 5%"
| eval bar = "Not Installed - 95%"
| eval foo_replaced=replace(foo,"\s\-\s\d+\%",""), bar_replaced=replace(bar,"\s\-\s\d+\%","")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, you can extract using rex command as well. with eval, you would have to use 2 steps and rex is 1 step solution:
Try this
| makeresults
| eval data="Installed - 5%,Not Installed - 95%"
| makemv data delim=","
| mvexpand data
| table data| rex field=data "(?<newfield>[^\-]+)\s"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @baty0
try like this
|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
Harish
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
