Solved: My regex is not working in Splunk although it work...

ugruner · ‎12-06-2017

Hello,

I have a field "group" these field contains some values with a prefix: "AD-". I need to get rid of the prefix.

E.g
AD-test = test
ADtest = ADtest
test = test
AD-123 = 123
123 = 123

I am trying to do this with regex. My regex works fine outside of Splunk e.g at regex101.com or in a powershell script, but I am not able to get it work in splunk.

This is my regex: [^AD-].\s

But in splunk | rex field="group" (?[^AD-].\s) results in: Missing a search command before '^'. ..... Error in 'SearchParser': errorcontext = [^AD-].*\s)}'.

Udo

elliotproebstel · ‎12-06-2017

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

View solution in original post

rphillips_splk · ‎12-06-2017

to clarify , you have 1 field called group and the value of the field needs AD- stripped off ?

ie:
group = AD-test

should be:

group = test

elliotproebstel · ‎12-06-2017

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

rphillips_splk · ‎12-06-2017

I would agree with @elliotproebstel !

ugruner · ‎12-06-2017

Thanks, I am always thinking too complicated.

My regex is not working in Splunk although it works at regex101.com

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability