topic Re: How to remove everything after a specific character in a line in Splunk Search

How to remove everything after a specific character in a line

rijinc — Mon, 27 Mar 2017 06:25:00 GMT

Currently i am not familiar with REx and replace commands in splunk. Can someone help me here
i want to replace to blank anything after fullstop

for ex :
Username
A1B1.;#12345

;#12345 this character needs to be removed.

Re: How to remove everything after a specific character in a line

woodcock — Mon, 27 Mar 2017 06:45:43 GMT

Like this:

| rex field=Username mode=sed "s/\..*$//"

Re: How to remove everything after a specific character in a line

rijinc — Mon, 27 Mar 2017 06:48:58 GMT

Thanks Sir....it worked 🙂

Re: How to remove everything after a specific character in a line

rijinc — Mon, 27 Mar 2017 09:28:46 GMT

i have got another requirement where

for ex :
Username
Lynn Chriss H;#12345

need to remove the values from full stop [;#12345] was tryin to use the above rex by interchanging some thing like this. It doesnt work ...
| rex field="Username" mode=sed "s/[A-Z]*$//"
?
Request your help on this

Re: How to remove everything after a specific character in a line

woodcock — Mon, 27 Mar 2017 17:55:58 GMT

Oh, I see, my original answer also removed the . but you need to keep that, just do this:

 | rex field=Username mode=sed "s/\..*$/./"

Re: How to remove everything after a specific character in a line

sylinttest — Thu, 30 Jan 2020 21:20:19 GMT

I have a similar issue, in the Message field from a specific event code from the WinEventLogs it says

"A memeber was added to a security-enabled global group."
Subject:
Security ID:

I want everything after the period "group." gone. I tried the above rex however nothing changed.

Re: How to remove everything after a specific character in a line

to4kawa — Fri, 31 Jan 2020 09:12:06 GMT

(?s)
try this option.

Re: How to remove everything after a specific character in a line

sylinttest — Fri, 31 Jan 2020 18:53:20 GMT

I sorry I am very new to splunk where should I put that option in the search?

Re: How to remove everything after a specific character in a line

to4kawa — Fri, 31 Jan 2020 23:27:16 GMT

| makeresults
| eval _raw="\"A memeber was added to a security-enabled global group.\"
Subject:
Security ID:"
 | rex mode=sed "s/(?s)\..*$/./"

cf. regex101

Re: How to remove everything after a specific character in a line

to4kawa — Sat, 01 Feb 2020 00:10:21 GMT

| makeresults
| eval _raw="\"A memeber was added to a security-enabled global group.\"
 Subject:
 Security ID:"
 | rex "\"(?<_raw>.+)\""

I will do it like this.