Hello all,
I am having the following list:
1 | ais-notification-service-tm-nft-27-9gv6s | 642 | dk0332-e |
2 | ais-notification-service-tm-nft-2-snfhl | 642 | dk0332-e |
3 | ais-replay-notification-service-tm-nft-3-5n876 | 642 | dk0332-e |
4 | ais-replay-notification-service-tm-nft-34-l4ks2 | 278 | dk0332-e |
5 | ais-replay-notification-service-tm-nft-30-vnh9s | 364 | dk0332-e |
I need to have the following output:
1 | ais-notification-service-tm-nft | 642 | dk0332-e |
2 | ais-notification-service-tm-nft | 642 | dk0332-e |
3 | ais-replay-notification-service-tm-nft | 642 | dk0332-e |
4 | ais-replay-notification-service-tm-nft | 278 | dk0332-e |
5 | ais-replay-notification-service-tm-nft | 364 | dk0332-e |
While I do know how to trim the last characters using evaluation below:
<search string> | eval pod = substr(pod, 1, len(pod)-8)
it doesn't trim them the way I want (because some of the services are being displayed with one more char). How can I make this trimming dynamic, so it automatically trims the extra chars when they're found?
Thanks!
Hi @jugarugabi,
Please try below;
| rex field=pod "(?<pod>.+)-\d*-"
Looks like this one produces the needed output as well as the solution provided by @ITWhisperer
Thanks, I upvoted this solution as well.
Did you try ...
<Your Search> | rex field=pod "(?<newpod>.*)-.*-.*"
Not my strength, so I look forward with eagerness to someone suggesting the optimum regex, but you want the rex command. If you haven't explored regex before, welcome to an interesting chapter in your life. Well worth persevering with for Splunk and beyond. I'm certain my regex string is sub-optimal so use it with caution. In essence, the rex command says, from the field called pod, capture, into a new field called newpod, all the characters until you get to a hyphen followed by any number of any character (.*) followed by a second hyphen and then any number of any character again before the $ sign denotes end of string. One more time, I'm often blown away by how a good regex'er can write an elegant solution and how easy it is to write regex which doesn't cater for every eventuality. But hopefully this gets you pointed in the right direction. Always learning!
| rex field=pod "(?<newpod>.*)-.*-.*"
Perhaps sed can do it.
<search string> | rex mode=sed field=pod "s/nft-.*/nft/"
Unfortunately, not all of the pods will end in "nft" as names. These items were just an example.
It would've helped if they were finishing in this way, and it was ideal... but the people who created the services haven't used a naming convention for each service so that'd help me...
| eval pod = trim(substr(pod, -8),"-")
Using this, it displays only what has been trimmed from the string. By the looks of it, it removes the things I don't need - which is ok.
1 | 21-cljcp | dk0766-c |
The desired output should be:
1 | ais-notification-service-tm-nft- | dk0766-c |
| eval pod = rtrim(substr(pod, -8),"-")
Well, it looks like it has the same output even with rtrim...
Seems a little odd that rtrim doesn't remove the trailing "-"! - try rex to remove it?
| eval pod = substr(pod, -8)
| rex field=pod mode=sed "s/-$//g"
Still shows the output:
1 | 21-cljcp |
2 | 21-9zr5k |
3 | -2-plkzb |
4 | -2-qcq62 |
Instead of following output:
1 | ais-notification-service-tm-nft |
2 | ais-notification-service-tm-nft |
3 | ais-replay-notification-service-tm-nft |
4 | ais-replay-notification-service-tm-nft |
Sorry, messed up the substr, Try this
| eval pod = rtrim(substr(pod, 1, -8),"-")
The output, using eval pod = rtrim(substr(pod, 1, -8),"-") is not showing anything for the pod anymore
1 | dk0766-c | |
2 | dk0766-c | |
3 | dk0766-c | |
4 | dk0766-c |
Sorry I am getting confused - this might be better
| eval pod = rtrim(substr(pod, 1, len(pod)-8),"-")
Unfortunately this didnt helped...
I still seem to be getting some services with -2, -8, -1 etc...
If I am changing the the length and make it to -9:
| eval pod = rtrim(substr(pod, 1, len(pod)-9),"-")
Some of the services that were showing up OK in the past will one more char trimmed (which is not something that's helping out).
Try this
| rex mode=sed field=pod "s/\-\w+\-\w+$//g"
Sir, hats off to you for helping out!
This did the trick!
Thanks!