Hello,
I have a field "group" these field contains some values with a prefix: "AD-". I need to get rid of the prefix.
E.g
AD-test = test
ADtest = ADtest
test = test
AD-123 = 123
123 = 123
I am trying to do this with regex. My regex works fine outside of Splunk e.g at regex101.com or in a powershell script, but I am not able to get it work in splunk.
This is my regex: [^AD-].\s
But in splunk | rex field="group" (?[^AD-].\s) results in: Missing a search command before '^'. ..... Error in 'SearchParser': errorcontext = [^AD-].*\s)}'.
Udo
That's a great place to use the replace
command:
[your search] | replace "AD-*" with "*" in group
Cleaner and easier than most regex!
to clarify , you have 1 field called group and the value of the field needs AD- stripped off ?
ie:
group = AD-test
should be:
group = test
That's a great place to use the replace
command:
[your search] | replace "AD-*" with "*" in group
Cleaner and easier than most regex!
I would agree with @elliotproebstel !
Thanks, I am always thinking too complicated.