Solved: i want to cut all the words after Modified at firs...

DataOrg · ‎06-13-2017

Extesnded value Associaated With destiny: "LineIces" - "Actio1n Cod2e"; Modified: Extends Aribute - "Action"; Old Value = "Add"; New Value = "-" Modified

woodcock · ‎06-13-2017

Like this:

| rex field=ER mode=sed "s/Modified\S+.*$//g "

But maybe the \S should be \s so try this if that doesn't work:

| rex field=ER mode=sed "s/Modified\s+.*$//g "

Or maybe actually this:

| rex field=ER mode=sed "s/Modified:\s+.*$//g "

View solution in original post

woodcock · ‎06-13-2017

Like this:

| rex field=ER mode=sed "s/Modified\S+.*$//g "

But maybe the \S should be \s so try this if that doesn't work:

| rex field=ER mode=sed "s/Modified\s+.*$//g "

Or maybe actually this:

| rex field=ER mode=sed "s/Modified:\s+.*$//g "

abhinav_maxonic · ‎06-13-2017

Can you provide a sample, what the event is and what you want to extract out of that event ?

DataOrg · ‎06-13-2017

i want to cut\remove all the character when "Modified" is Present.

EX : Extesnded value Associaated With destiny: "LineIces" - "Actio1n Cod2e"; Modified: Extends Aribute - "Action"; Old Value = "Add"; New Value = "-" Modified

abhinav_maxonic · ‎06-13-2017

So if there is field A . When word "Modified" in NOT present in the event, value of A="Add" and when word "Modified" is present is the event, value of A="-" . Is this what you want ?

i want to cut all the words after Modified at first present. i used the command its only cutting Modified value others are still presents. | rex field=ER mode=sed "s/Modified\S+//g "

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!