topic How to trim everything from a field after a comma in Splunk Search

How to trim everything from a field after a comma

sawyer2624 — Mon, 10 Feb 2020 16:07:59 GMT

I have a field that contains:

CN=Joe Smith,OU=Support,OU=Users,OU=CCA,OU=DTC,OU=ENT,DC=ent,DC=abc,DC=store,DC=corp

I'd like to trim off everything after the first comma.

This information can always be changing, so there is no set number of characters.

Thanks.

Re: How to trim everything from a field after a comma

nickhills — Mon, 10 Feb 2020 16:45:27 GMT

Hi @sawyer2624
try

|rex field=yourfield "CN\=(?P<commonName>[^\,]+)"

Re: How to trim everything from a field after a comma

jpolvino — Mon, 10 Feb 2020 16:58:59 GMT

Using sed mode on rex is one way to do it:

| makeresults
| eval thefield="CN=Joe Smith,OU=Support,OU=Users,OU=CCA,OU=DTC,OU=ENT,DC=ent,DC=abc,DC=store,DC=corp"
| rex field=thefield mode=sed "s/([^,]+).*/\1/g"

This Run Anywhere example shows a replace in-situ, which has the side effect of forever altering "thefield" going forward.

See https://regex101.com/r/EHmicm/1

Re: How to trim everything from a field after a comma

sawyer2624 — Mon, 10 Feb 2020 17:01:40 GMT

So that creates a new field just like I want it, but how do I get the original field out of the table?

Re: How to trim everything from a field after a comma

nickhills — Mon, 10 Feb 2020 17:02:58 GMT

|rex field=yourfield "CN\=(?P<commonName>[^\,]+)"|fields - yourfield