Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use rex and sed to remove field prefix?

dmcintosh1972
Explorer
‎01-30-2018 05:09 AM

I would like to remove a prefix from a field where certain criteria are met but leave the prefix on on fields where criteria isnt met.

e.g

uniqueIdentifier = admjdoe
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = jdoe

uniqueIdentifier = administrator
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = inistrator

Obviously I don't want to remove the adm from administrator, and as the field includes names it should also correctly handle names like admaneil (adm aniel) etc

I need to have some kind of if uniqueIdentifier = administrator then don't apply the sed command.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
SplunkTrust
SplunkTrust
‎01-30-2018 06:15 AM

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
SplunkTrust
SplunkTrust
‎01-30-2018 06:15 AM

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...