Solved: How to use rex and sed to remove field prefix?

dmcintosh1972 · ‎01-30-2018

I would like to remove a prefix from a field where certain criteria are met but leave the prefix on on fields where criteria isnt met.

e.g

uniqueIdentifier = admjdoe
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = jdoe

uniqueIdentifier = administrator
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = inistrator

Obviously I don't want to remove the adm from administrator, and as the field includes names it should also correctly handle names like admaneil (adm aniel) etc

I need to have some kind of if uniqueIdentifier = administrator then don't apply the sed command.

Thanks

harsmarvania57 · ‎01-30-2018

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"

View solution in original post

harsmarvania57 · ‎01-30-2018

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"

How to use rex and sed to remove field prefix?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio