https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596224#M207554 <P>Hi,&nbsp;</P> <P>I am having the following query:&nbsp;</P> <P>index=* sourcetype=CustomAccessLog | table "host", "source"</P> <P>&nbsp;</P> <P>The output is:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">host</TD> <TD width="50%">source</TD> </TR> <TR> <TD width="50%">server32.de.db.com</TD> <TD width="50%">/path/to/server/instances/IFM_RT_1/logs/subdir_logs/log.file</TD> </TR> <TR> <TD>server31.de.db.com</TD> <TD>/path/to/server/instances/IFM_RT_2/logs/subdir_logs/log.file</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I would need to alter the search query so that the output is becoming:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">host</TD> <TD width="50%">source</TD> </TR> <TR> <TD width="50%">32</TD> <TD width="50%">IFM_RT_1</TD> </TR> <TR> <TD>31</TD> <TD>IFM_RT_2</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Tried using the following for the IFM_RT_</P> <P><SPAN>index=* sourcetype=CustomAccessLog | rex field=_raw "(?&lt;IFM_RT_&gt;.*)", but I couldn't get the needed data.&nbsp;</SPAN></P> <P><SPAN>Can I have your help here?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks!</SPAN></P> Tue, 03 May 2022 16:02:47 GMT jugarugabi 2022-05-03T16:02:47Z https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596224#M207554 <P>Hi,&nbsp;</P> <P>I am having the following query:&nbsp;</P> <P>index=* sourcetype=CustomAccessLog | table "host", "source"</P> <P>&nbsp;</P> <P>The output is:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">host</TD> <TD width="50%">source</TD> </TR> <TR> <TD width="50%">server32.de.db.com</TD> <TD width="50%">/path/to/server/instances/IFM_RT_1/logs/subdir_logs/log.file</TD> </TR> <TR> <TD>server31.de.db.com</TD> <TD>/path/to/server/instances/IFM_RT_2/logs/subdir_logs/log.file</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I would need to alter the search query so that the output is becoming:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">host</TD> <TD width="50%">source</TD> </TR> <TR> <TD width="50%">32</TD> <TD width="50%">IFM_RT_1</TD> </TR> <TR> <TD>31</TD> <TD>IFM_RT_2</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Tried using the following for the IFM_RT_</P> <P><SPAN>index=* sourcetype=CustomAccessLog | rex field=_raw "(?&lt;IFM_RT_&gt;.*)", but I couldn't get the needed data.&nbsp;</SPAN></P> <P><SPAN>Can I have your help here?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks!</SPAN></P> Tue, 03 May 2022 16:02:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596224#M207554 jugarugabi 2022-05-03T16:02:47Z https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596227#M207557 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230692">@jugarugabi</a>,</P><P>you could try to use the following regexes:</P><LI-CODE lang="markup">index=* sourcetype=CustomAccessLog | rex field=source "(?&lt;source&gt;IFM_RT_\d*)" | rex field=host "^server(?&lt;host&gt;\d+)" | table host source</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 03 May 2022 09:00:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596227#M207557 gcusello 2022-05-03T09:00:38Z https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596813#M207744 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230692">@jugarugabi</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 07 May 2022 05:34:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trim-information-from-search-output/m-p/596813#M207744 gcusello 2022-05-07T05:34:53Z