https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367791#M169810 <P>This is working for one line, as we have the same prefix with a different log message on the second line (was my fault, I didn't mention that) I used</P> <PRE><CODE>| rex max_match=0 "message=(?&lt;_raw&gt;.*)" </CODE></PRE> <P>Now it's working fine. Thank you very much.</P> Mon, 07 May 2018 13:48:19 GMT stefan_gohlke 2018-05-07T13:48:19Z https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367787#M169806 <P>Is it possiple to remove information from the column "Event" in the search app view? Some values have allready been extracted, so I would like to remove them from the event column.</P> <P>Current text in column "Event":<BR /> time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message</P> <P>New:<BR /> LOG: A long long log message</P> <P>Is that possible? How to do this?</P> Mon, 30 Apr 2018 09:03:15 GMT https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367787#M169806 stefan_gohlke 2018-04-30T09:03:15Z https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367788#M169807 <P>You should not remove these during indexing, because it will most likely break all your field extractions unless all these information has been extracted as index time fields, which it most likely isn't.</P> <P>You could use a regex like this:<BR /> <CODE>.*\smessage=(?&lt;_raw&gt;.*)$</CODE><BR /> This would replace the <CODE>_raw</CODE> field, which is what you're getting displayed as the actual event text.<BR /> So, you can simply set up a <CODE>props.conf</CODE> like this:</P> <PRE><CODE>[your-sourcetype] EXTRACT-shorten_raw_text = .*\smessage=(?&lt;_raw&gt;.*)$ </CODE></PRE> <P>Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 30 Apr 2018 09:14:24 GMT https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367788#M169807 xpac 2018-04-30T09:14:24Z https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367789#M169808 <P>The event column shows the raw event.</P> <P>Technically, you could do an <CODE>| eval _raw=...</CODE> command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: <CODE>| rex "message=(?&lt;_raw&gt;.*)"</CODE></P> Tue, 29 Sep 2020 19:17:47 GMT https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367789#M169808 FrankVl 2020-09-29T19:17:47Z https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367790#M169809 <P>Hello,</P> <P>can you past this example in your barre search:</P> <PRE><CODE>| makeresults | eval _raw="time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message" | rex "message=(?&lt;_raw&gt;.*)" </CODE></PRE> Mon, 30 Apr 2018 12:09:35 GMT https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367790#M169809 TISKAR 2018-04-30T12:09:35Z https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367791#M169810 <P>This is working for one line, as we have the same prefix with a different log message on the second line (was my fault, I didn't mention that) I used</P> <PRE><CODE>| rex max_match=0 "message=(?&lt;_raw&gt;.*)" </CODE></PRE> <P>Now it's working fine. Thank you very much.</P> Mon, 07 May 2018 13:48:19 GMT https://community.splunk.com/t5/Splunk-Search/Search-app-Remove-extracted-values-from-event-column/m-p/367791#M169810 stefan_gohlke 2018-05-07T13:48:19Z