Splunk Search

Remove string from field using REX or Replace

smcdonald20
Path Finder

I have a field, where all values are pre-fixed with "OPTIONS-IT\".
I would like to remove this, but not sure on the best way to do it.

example
User
OPTIONS-IT\smcdonald
OPTIONS-IT\jbloggs

I would like to change to
User
smcdonald
jbloggs

I have tried eval User= replace (User, "OPTIONS-IT\", "") but this doesn't work.

The regular expressions I have used have not worked either.
Any help appreciated.

Tags (2)
0 Karma
1 Solution

dineshraj9
Builder

These methods support regular expression and "\" will be treated as escape character.
Do it this way -

<your search> | rex field=User "OPTIONS.IT.(?<User>\S+)"

OR

<your search> | eval User=replace (User, "OPTIONS\-IT.", "")

View solution in original post

woodcock
Esteemed Legend

Like this (needs more escape characters):

... | rex field=User mode=sed "s/OPTIONS-IT\\\//g"
0 Karma

ljalvrdz
New Member

This one works great! Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi smcdonald20,
Try the following command

your_search | rex field=your_field "OPTIONS-IT\\(?<username>[^ ]*)"

Bye.
Giuseppe

0 Karma

dineshraj9
Builder

These methods support regular expression and "\" will be treated as escape character.
Do it this way -

<your search> | rex field=User "OPTIONS.IT.(?<User>\S+)"

OR

<your search> | eval User=replace (User, "OPTIONS\-IT.", "")

daymauler
Explorer

Worked like charm!!! Thanks

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...