https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542137#M153565 <P>rex either works in capture mode or sed mode - you could use a separate rex to edit the captured field</P> Wed, 03 Mar 2021 11:58:28 GMT ITWhisperer 2021-03-03T11:58:28Z https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542101#M153553 <P>I want to ignore the actual file name in my exception events so I can group the exceptions .</P><P>For example, regex on below event should extract only &nbsp;"Error File not found !!!" &nbsp;and ignore the actual filename in between.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Error File abracadabra.gz not found !!!</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Can you please advise on how to exclude this word in between the fixed format of words .</P><P>Thank you.</P> Wed, 03 Mar 2021 08:31:59 GMT https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542101#M153553 ppatkar 2021-03-03T08:31:59Z https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542106#M153555 <P>Use <STRONG>rex</STRONG> with <STRONG>sed</STRONG> mode:</P><LI-CODE lang="markup">| makeresults | eval test="Error File abracadabra.gz not found !!!" | rex field=test mode=sed "s/\s\w+\.(gz|tgz|zip)//g"</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Wed, 03 Mar 2021 08:45:32 GMT https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542106#M153555 manjunathmeti 2021-03-03T08:45:32Z https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542113#M153558 <P>To drop the 3rd word</P><LI-CODE lang="markup">| rex mode=sed "s/^(\S+\s)(\S+\s)(\S+\s)/\1\2/g"</LI-CODE><P>or for more precision</P><LI-CODE lang="markup">| rex mode=sed "s/^(Error File )(\S+\s)(not found)/\1\3/g"</LI-CODE><P>&nbsp;</P> Wed, 03 Mar 2021 09:05:41 GMT https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542113#M153558 ITWhisperer 2021-03-03T09:05:41Z https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542124#M153563 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, Thank you for your quick reply . I have a followup question as I intend to use capture group to gather errors . My existing search is something like below :</P><LI-CODE lang="markup">index=* "IOError" OR "file does not exist" | rex field=_raw max_match=1 "IOError:(?&lt;IO_ERROR&gt;.*)" | rex field=_raw max_match=1 "MESSAGE=(?&lt;FILE_ERROR&gt;file does not exist[^\d|]+)" | ... | eval ERROR_LOG = coalesce(IO_ERROR,FILE_ERROR...) </LI-CODE><P>Can I incorporate the sed mode in this type of capture group or is there any other way ?</P><P>Thank you for all your help</P><P>&nbsp;</P> Wed, 03 Mar 2021 09:37:56 GMT https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542124#M153563 ppatkar 2021-03-03T09:37:56Z https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542137#M153565 <P>rex either works in capture mode or sed mode - you could use a separate rex to edit the captured field</P> Wed, 03 Mar 2021 11:58:28 GMT https://community.splunk.com/t5/Splunk-Search/regex-exclude-nth-word-in-the-event/m-p/542137#M153565 ITWhisperer 2021-03-03T11:58:28Z