topic Re: Remove only fields that do not have suffix in Splunk Search

Remove only fields that do not have suffix

duesser — Wed, 01 Nov 2023 14:31:09 GMT

Basically I have a search with a lot of fields, similar to this example:

| makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5

from this I would basically like to keep everything except for aa* that does not contain the suffix x. I tried

| fields -aa* aa*x

as well as similar approaches, but they do not work:

1) either deleting all aa* (including aa*x)

2) not keeping b or

3)not deleting aa* at all.

I would know how to solve this with regex: "aa.+(?<!x)$" as can be seen here:

https://regex101.com/r/JfVHCJ/latest

Is there any SPL equivalent?

Re: Remove only fields that do not have suffix

richgalloway — Wed, 01 Nov 2023 14:59:36 GMT

Have you tried this?

| makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5 | fields + aa*x b

Re: Remove only fields that do not have suffix

duesser — Wed, 01 Nov 2023 15:05:44 GMT

While this is possible, there are a lot of b's in the real search and I am looking for a way to not have to write those out individually. - I would like a negative formulation if possible

Re: Remove only fields that do not have suffix

ITWhisperer — Wed, 01 Nov 2023 15:10:13 GMT