Splunk Search

My regex is not working in Splunk although it works at regex101.com

ugruner
Explorer

Hello,

I have a field "group" these field contains some values with a prefix: "AD-". I need to get rid of the prefix.

E.g
AD-test = test
ADtest = ADtest
test = test
AD-123 = 123
123 = 123

I am trying to do this with regex. My regex works fine outside of Splunk e.g at regex101.com or in a powershell script, but I am not able to get it work in splunk.

This is my regex: [^AD-].\s

But in splunk | rex field="group" (?[^AD-].
\s) results in: Missing a search command before '^'. ..... Error in 'SearchParser': errorcontext = [^AD-].*\s)}'.

Udo

Tags (2)
0 Karma
1 Solution

elliotproebstel
Champion

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

View solution in original post

rphillips_splk
Splunk Employee
Splunk Employee

to clarify , you have 1 field called group and the value of the field needs AD- stripped off ?

ie:
group = AD-test

should be:

group = test

0 Karma

elliotproebstel
Champion

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

rphillips_splk
Splunk Employee
Splunk Employee

I would agree with @elliotproebstel !

0 Karma

ugruner
Explorer

Thanks, I am always thinking too complicated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...