Usage Of Splunk Eval Function : RTRIM

Usage Of Splunk Eval Function : RTRIM

“rtrim” function is an eval function. We can use one or two arguments with this function and returns the value from first argument with the character/characters in second argument trimmed from the right side.

Note : If second argument is not specified then it remove spaces and tabs from the first argument from right side.

Syntax :  

| eval <field_name>=rtrim(A,B)

Example :

| makeresults
| eval Name="Ram,Sham,Jadu,Shaan" , Name=split(Name,",")
| mvexpand Name
| eval New_Name=ltrim(Name,"am")

Result :
Image 1 : –

ltrim_1
Image 2 : –
rtrim_2
Explanation :

  • In the first image (Image1) search creates one result using the makeresults command.
  • The search then uses the eval command to create a field “Name” with some comma separated value.
  • Then we have used eval function split to split the comma separated value.
  • After perform split function one multivalue field has been created there and using mvexpand command we split this multivalue field in a separate row for each value.
  • In the second image (Image2) we use eval command to create a new field New_Name and also we used eval function ltrim to remove the characters from right side.

Into the rtrim function we use two arguments, first one is field name (from where we want to remove character) and the second one is which character/characters we want to remove.

  • In the new field New_Name contains output result from name field after removal of character/characters from the right side which we have mentioned as a second argument (“am”)  with the rtrim function.

Now you can effectively utilize “rtrim” function with “eval” command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function : RTRIM

HAPPY SPLUNKING !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.