How to use rex and sed to remove field prefix?

dmcintosh1972 — Tue, 30 Jan 2018 13:09:23 GMT

I would like to remove a prefix from a field where certain criteria are met but leave the prefix on on fields where criteria isnt met.

e.g

uniqueIdentifier = admjdoe
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = jdoe

uniqueIdentifier = administrator
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = inistrator

Obviously I don't want to remove the adm from administrator, and as the field includes names it should also correctly handle names like admaneil (adm aniel) etc

I need to have some kind of if uniqueIdentifier = administrator then don't apply the sed command.

Thanks

Re: How to use rex and sed to remove field prefix?

harsmarvania57 — Tue, 30 Jan 2018 14:15:24 GMT

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"

topic How to use rex and sed to remove field prefix? in Splunk Search

How to use rex and sed to remove field prefix?

Re: How to use rex and sed to remove field prefix?