- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- i want to remove the first set of number present i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want to remove the first set of number present in the below sentence.i want number to present at last.
000220170822013085255 017 AWS not associated with salary Number ASSD-BUS-0000 1
000220170822013085259 017 AWS not associated with salary Number ASN-BUS-0000
i want to sentence to be:
AWS not associated with salary Number ASSD-BUS-0000 1
AWS not associated with salary Number ASN-BUS-0000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the first 3 words in the sentence are in a single field called FirstThreeWords, you can do something like this:
| rex field=FirstThreeWords "(?<LastWord>\S+$)"
Then use LastWord in your sentence.
Or assuming that you need to strip the first 2 words of your Sentence field, you can do something like this:
| rex field=Sentence mode=sed "s/^\S+\s+\S+\s+//"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @premranjithj
1) If you want to remove a number from an event from splunk indexers then you will have to use index-time field extractions.
Refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Anonymizedata#Anonymize_data_with_a_regular_e...
2) If you want to remove a number from an event during search time then you can use regex
index=your_index | rex field=_raw "\d+\s\d+\s(?P<AWS_data>.*)"
Let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@premranjithj, do you want to do this at index time or search time?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or if all you really want is just the results starting with AWS:
| rex field=sentence "^.*(?<show>AWS.*$)" | table show
(thanks niketnilay, I keep forgetting to use the code button)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MonkeyK you would need to post your code with the code button so that it does not escape.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is this you want or something else, please clarify -
Anonymize data
This topic discusses how to anonymize data that comes into Splunk Enterprise, such as credit card and Social Security numbers.
You might want to mask sensitive personal data when indexing log events. Credit card numbers and social security numbers are two examples of data that you might not want to appear in an index. This topic describes how to mask part of confidential fields to protect privacy while providing enough remaining data for use in tracking events.
Splunk Enterprise lets you anonymize data in two ways:
Through a regular expression (regex) transform
Through a sed script
http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
