- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to remove everything after a specific char...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently i am not familiar with REx and replace commands in splunk. Can someone help me here
i want to replace to blank anything after fullstop
for ex :
Username
A1B1.;#12345
;#12345 this character needs to be removed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| rex field=Username mode=sed "s/\..*$//"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Sir....it worked 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar issue, in the Message field from a specific event code from the WinEventLogs it says
"A memeber was added to a security-enabled global group."
Subject:
Security ID:
I want everything after the period "group." gone. I tried the above rex however nothing changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?s)
try this option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I sorry I am very new to splunk where should I put that option in the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="\"A memeber was added to a security-enabled global group.\"
Subject:
Security ID:"
| rex mode=sed "s/(?s)\..*$/./"
cf. regex101
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="\"A memeber was added to a security-enabled global group.\"
Subject:
Security ID:"
| rex "\"(?<_raw>.+)\""
I will do it like this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have got another requirement where
for ex :
Username
Lynn Chriss H;#12345
need to remove the values from full stop [;#12345] was tryin to use the above rex by interchanging some thing like this. It doesnt work ...
| rex field="Username" mode=sed "s/[A-Z]*$//"
?
Request your help on this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, I see, my original answer also removed the . but you need to keep that, just do this:
| rex field=Username mode=sed "s/\..*$/./"
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
