https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300500#M165757 <P>Hi @cpetterborg, great rex command... Great learning !</P> <P>to other rex beginners, let me explain it - <BR /> "s/^(\S+)(.<EM>?)\s(\1)/\2, /"<BR /> <CODE>^(\S+)</CODE> --- captures the first word<BR /> `(.</EM>?)<CODE>------ remaining line is captured as "\2", till the 2nd ubuntu match<BR /> </CODE>\s(\1)<CODE>---- matching for "a space and word ubuntu"<BR /> before the "/", only matching part, after this "/", its the replacement part<BR /> </CODE>\2,<CODE>--- on the replacement, leave the</CODE>\1`, write the "\2" match and then a comma ",". thats it. </P> Mon, 09 Oct 2017 06:41:32 GMT inventsekar 2017-10-09T06:41:32Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300497#M165754 <P>How do I use regex or replace to remove the first occurrence word found and replace second occurrence onward with comma?</P> <P>For example, the raw data is:<BR /> ubuntu CRON[2907]: pam_unix(cron:session): session opened for user root by (uid=0) ubuntu CRON[2907]: pam_unix(cron:session): session closed for user root </P> <P>I want it to be:<BR /> CRON[2907]: pam_unix(cron:session): session opened for user root by (uid=0),CRON[2907]: pam_unix(cron:session): session closed for user root </P> Tue, 29 Sep 2020 16:12:32 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300497#M165754 Kitteh 2020-09-29T16:12:32Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300498#M165755 <P>If you have only one second occurrence of the beginning string, this will work:</P> <PRE><CODE>| makeresults | eval _raw="ubuntu CRON[2907]: pam_unix(cron:session): session opened for user root by (uid=0) ubuntu CRON[2907]: pam_unix(cron:session): session closed for user root by (uid=0)" | rex mode=sed "s/^(\S+)(.*?)\s(\1)/\2, /" </CODE></PRE> <P>The process for multiple occurrences is more complex. Is the data in that case similar to the example that you provided? if not can you provide an example? Is there a maximum number of occurrences?</P> Mon, 09 Oct 2017 06:03:33 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300498#M165755 cpetterborg 2017-10-09T06:03:33Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300499#M165756 <P>You can run rex two times, first time to replace the first ubuntu with blank,<BR /> second ubuntu with a comma</P> <P>(if the string "ubuntu" is not known before hand, please update some more details(which spot it appears), so that rex can be updated) <BR /> (rex mode=sed can not be tested on regex101 website, i have tested it on splunk directly, it works fine.. please check the screenshot)</P> <PRE><CODE>|makeresults | eval _raw = "ubuntu CRON[2907]: pam_unix(cron:session): session opened for user root by (uid=0) ubuntu CRON[2907]: pam_unix(cron:session): session closed for user root" | rex mode=sed field=_raw "s#(^ubuntu\s)##" | rex mode=sed field=_raw "s#ubuntu#,#" | table _raw </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3640i8EDB263F7A5AD94F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 09 Oct 2017 06:11:06 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300499#M165756 inventsekar 2017-10-09T06:11:06Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300500#M165757 <P>Hi @cpetterborg, great rex command... Great learning !</P> <P>to other rex beginners, let me explain it - <BR /> "s/^(\S+)(.<EM>?)\s(\1)/\2, /"<BR /> <CODE>^(\S+)</CODE> --- captures the first word<BR /> `(.</EM>?)<CODE>------ remaining line is captured as "\2", till the 2nd ubuntu match<BR /> </CODE>\s(\1)<CODE>---- matching for "a space and word ubuntu"<BR /> before the "/", only matching part, after this "/", its the replacement part<BR /> </CODE>\2,<CODE>--- on the replacement, leave the</CODE>\1`, write the "\2" match and then a comma ",". thats it. </P> Mon, 09 Oct 2017 06:41:32 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300500#M165757 inventsekar 2017-10-09T06:41:32Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300501#M165758 <P>Thank you. I saw your original post in email. I'm glad you figured it all out. Congratulations! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I've upvoted your comment for the fine explanation!</P> Mon, 09 Oct 2017 18:15:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-replace-first-occurrence-word-with-blank-but/m-p/300501#M165758 cpetterborg 2017-10-09T18:15:41Z