Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to transform a string and ignore all tagged parts like {example}

HeinzWaescher
Motivator
‎11-24-2016 03:25 AM

Hi,

let's say we have a string with various tagged entries:

"This {field1} is {delete_this} the example {tagged_element}"

Is it possible to ignore all tagged elements, no matter how many of them exist? Here the result would be

"This is the example"

Thanks in advance
Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PPape
Contributor
‎11-24-2016 04:20 AM

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

View solution in original post

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎12-13-2016 03:31 AM

Hi,

a short follow up question regarding this topic 🙂

How to only keep the tagged elements?

Best regards
Heinz

0 Karma
Reply
Solved! Jump to solution
Solution

PPape
Contributor
‎11-24-2016 04:20 AM

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎11-24-2016 05:20 AM

Thanks for your post. I would like to do it at search time. Unfortunately I'm not very familiar with regex to adjust the example to my needs

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-24-2016 05:32 AM

could you give me an example dataline? Than i could try it.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎11-24-2016 05:34 AM

I created a testcase like this:

index=main| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| table field

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-24-2016 06:00 AM

It might not be the most beutiful regex but it works with your example...

index=_internal| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| eval field=replace(field, "{([^}]+)}|([\S])", "\2")
| table field
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎11-24-2016 06:44 AM

This works, thanks a lot!

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎11-24-2016 05:44 AM

I would assume something like {.*?}( |$)

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...