Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to strip out trailing 0's

efelder0
Communicator
‎12-19-2011 12:46 PM

I have a field in my output that contains the following values: DAT_Version = 6556.0000

What would the REGEX look like to strip out the .0000?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎12-19-2011 01:03 PM

There are a few ways to do this using the search language, one is via the rex command to extract only numbers (everything left of the decimal) in your example:

... | rex field=DAT_Version "(?<DAT_Version>\d+)"

Another way is via eval to replace the decimal and all numbers to the right of it with nothing:

... | eval DAT_Version=replace(DAT_Version,"\.\d+","")

You may also choose to write a props to have this format extracted automatically.

MTA: You can also return the floor value, via eval:

... | eval DAT_Version=floor(DAT_Version)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎10-11-2018 09:54 AM

The other three answers here answer this use case specifically, that is, if there are nothing to the right of the decimal.

Here's how strip out trailing zeroes if you know you might have significant digits to the right of the decimal (e.g. "6556.123000"):

 | rex field=myfield"^(?<myfield>[\s\S]*\.[\s\S]*?)0*$" |
Reply
Solved! Jump to solution

shandr
Path Finder
‎09-21-2023 11:17 PM

h/t Nick

I have iterated on your idea. It stripped the decimals nicely but kept the dot when "6556.000" so I added \d.

| rex field=alert_value "^(?<myfield>[\s\S]*\.\d[\s\S]*?)0*$"


In my case, my field also contains integers:

| rex field=alert_value "^(?<keep>[^\.]+)(?<keepdot>\.{0,1})(?<keepdotdecimal>\d*?)0*$"
| eval human_value = keep . if(len(keepdotdecimal)!=0, "." . keepdotdecimal, "")

It caters for "6556" and "6,556"

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎12-19-2011 01:41 PM

eval DAT_Version=round(DAT_Version, 0)

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎12-19-2011 01:03 PM

There are a few ways to do this using the search language, one is via the rex command to extract only numbers (everything left of the decimal) in your example:

... | rex field=DAT_Version "(?<DAT_Version>\d+)"

Another way is via eval to replace the decimal and all numbers to the right of it with nothing:

... | eval DAT_Version=replace(DAT_Version,"\.\d+","")

You may also choose to write a props to have this format extracted automatically.

MTA: You can also return the floor value, via eval:

... | eval DAT_Version=floor(DAT_Version)
0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎12-19-2011 12:57 PM

I'm sure there is another eval magic trick that could do it but maybe something like;

| rex field=DAT_Version "(?<Datversion>[^.]+)"

Which will capture everything up until to the period

Also, if it helps / works then don't forget to accept the answer as right by clicking on the tick to the left! it means that others with the same questions will be able to find the right answers 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...