https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513015#M143931 <P>It is!&nbsp; Thank you so much!</P> Fri, 07 Aug 2020 14:25:19 GMT ghostdog920 2020-08-07T14:25:19Z https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513007#M143925 <P>I am having a problem with what i believe is writing a regex to clean up some events before i report on them in dashboard.&nbsp; I am pulling specific security events from windows and each event should return a username and a domain.&nbsp; I am getting those results, but with each, it is also returning a second data item "-".&nbsp; That is throwing things off/making it look ugly and i havent had much luck ripping it out.&nbsp; Hoping someone can assist and possibly explain what the solution is doing?&nbsp; I tried to do an eval replace for the field where "-" is replaced with "" but then none of my events showed up so clearly that was wrong.&nbsp; A sample event looks like this to help clarify what i am getting:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SplunkHelpEventExample.png" style="width: 745px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10103i446C5A87A570D27A/image-size/large?v=v2&amp;px=999" role="button" title="SplunkHelpEventExample.png" alt="SplunkHelpEventExample.png" /></span></P><P>&nbsp;</P><P>I basically need to drop the first line from both the "Account" and also "Account_Domain" so that i would only get service. and PF as values.</P><P>&nbsp;</P><P>As always, help is greatly appreciated.</P> Fri, 07 Aug 2020 14:04:11 GMT https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513007#M143925 ghostdog920 2020-08-07T14:04:11Z https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513010#M143927 <LI-CODE lang="markup">| eval Account_Domain=mvindex(Account_Domain,1), Account_Name=mvindex(Account_Name,1)</LI-CODE> Fri, 07 Aug 2020 14:13:45 GMT https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513010#M143927 thambisetty 2020-08-07T14:13:45Z https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513011#M143928 <P>So the mvindex basically says for that field, choose in this case, the 2nd value for the field as the only value for that field?</P> Fri, 07 Aug 2020 14:15:34 GMT https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513011#M143928 ghostdog920 2020-08-07T14:15:34Z https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513012#M143929 <P>yes, considering second value.</P><P>Account_Name and Account_Domain fields are multi value fields&nbsp; and fields index start from 0 means 1st value. in our case we needed to consider second value so it would be index 1. hope its clear.</P> Fri, 07 Aug 2020 14:17:51 GMT https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513012#M143929 thambisetty 2020-08-07T14:17:51Z https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513015#M143931 <P>It is!&nbsp; Thank you so much!</P> Fri, 07 Aug 2020 14:25:19 GMT https://community.splunk.com/t5/Splunk-Search/Help-With-Event-Cleanup-Remove-quot-quot/m-p/513015#M143931 ghostdog920 2020-08-07T14:25:19Z