topic Re: Remove string from field using REX or Replace in Splunk Search

Remove string from field using REX or Replace

smcdonald20 — Thu, 01 Jun 2017 10:36:03 GMT

I have a field, where all values are pre-fixed with "OPTIONS-IT\".
I would like to remove this, but not sure on the best way to do it.

example
User
OPTIONS-IT\smcdonald
OPTIONS-IT\jbloggs

I would like to change to
User
smcdonald
jbloggs

I have tried eval User= replace (User, "OPTIONS-IT\", "") but this doesn't work.

The regular expressions I have used have not worked either.
Any help appreciated.

dineshraj9 — Thu, 01 Jun 2017 10:44:28 GMT

These methods support regular expression and "\" will be treated as escape character.
Do it this way -

<your search> | rex field=User "OPTIONS.IT.(?<User>\S+)"

<your search> | eval User=replace (User, "OPTIONS\-IT.", "")

gcusello — Thu, 01 Jun 2017 11:21:27 GMT

Hi smcdonald20,
Try the following command

your_search | rex field=your_field "OPTIONS-IT\\(?<username>[^ ]*)"

Bye.
Giuseppe

woodcock — Thu, 01 Jun 2017 13:24:36 GMT

Like this (needs more escape characters):

... | rex field=User mode=sed "s/OPTIONS-IT\\\//g"

ljalvrdz — Thu, 30 Aug 2018 23:06:20 GMT

This one works great! Thanks!

daymauler — Fri, 03 Sep 2021 00:29:38 GMT

Worked like charm!!! Thanks

Splunkie — Tue, 22 Jul 2025 15:12:35 GMT

I am having a similar issue however in my case the field always has a suffix of sophos_event_input after the username. Example

User

Joe-Smith, Adams sophos_event_input

Jane-Doe, Smith sophos_event_input

I would like to change the User field to

User

Joe-Smith, Adams

Jane-Doe, Smith

Basically I want to get rid of the sophos_event_input suffix.

How will I go about this?