https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750321#M242289 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309196">@Splunkie</a>&nbsp;</P><P>Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?</P><P>You could do the following at search time:</P><LI-CODE lang="markup">| rex field=Username_Field mode=sed "s/ sophos_event_input$//" </LI-CODE><P>(See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex</A><SPAN>)</SPAN></P><P><SPAN>Alternatively you could use a REPLACE function:</SPAN></P><LI-CODE lang="markup">| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")</LI-CODE><P>You could also make this an automatic calculated field so that you dont need to include it in your SPL:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="livehybrid_0-1753263245091.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39730i6E84BF4CAB2CA201/image-size/medium?v=v2&amp;px=400" role="button" title="livehybrid_0-1753263245091.png" alt="livehybrid_0-1753263245091.png" /></span></P><P>&nbsp;</P><P>If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:</P><LI-CODE lang="markup"># props.conf # [yourSourcetype] SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Jul 2025 09:36:46 GMT livehybrid 2025-07-23T09:36:46Z https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750318#M242287 <P>I am trying to remove a field which&nbsp; has a suffix of<SPAN>&nbsp;</SPAN><STRONG>sophos_event_input&nbsp;</STRONG>after the username. Example</P><P>Username_Field</P><P><SPAN>Joe-Smith, Adams sophos_event_input</SPAN></P><P><SPAN>Jane-Doe, Smith&nbsp;sophos_event_input</SPAN></P><P>I would like to change the Username field to only contain the users name, Example</P><P>Username_Field</P><P><SPAN>Joe-Smith, Adams&nbsp;</SPAN></P><P><SPAN>Jane-Doe, Smith&nbsp;</SPAN></P><P><SPAN>Basically I want to get rid of the&nbsp;<STRONG>sophos_event_inpu</STRONG>t suffix.</SPAN></P><P>How will I go about this?&nbsp;</P> Wed, 23 Jul 2025 09:00:36 GMT https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750318#M242287 Splunkie 2025-07-23T09:00:36Z https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750319#M242288 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309196">@Splunkie</a>&nbsp;,</P><P>do you want to do this at index time, recording the modified events or at search time (only in visualization)?</P><P>if at search time, you can use a regex in your searches like the following:</P><LI-CODE lang="markup">| rex mode=sed "s/sophos_event_input/ /g"</LI-CODE><P>if at index time, you should put in the props.conf:</P><LI-CODE lang="markup">[&lt;your_sourcetype&gt;] SEDCMD = "s/sophos_event_input/ /g"</LI-CODE><P>This conf file must be located in the first full Splunk instance where data pass through, in other words in the first Heavy Forwarder (if present) or otherwise on the Indexers.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Jul 2025 09:08:17 GMT https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750319#M242288 gcusello 2025-07-23T09:08:17Z https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750321#M242289 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309196">@Splunkie</a>&nbsp;</P><P>Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?</P><P>You could do the following at search time:</P><LI-CODE lang="markup">| rex field=Username_Field mode=sed "s/ sophos_event_input$//" </LI-CODE><P>(See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex</A><SPAN>)</SPAN></P><P><SPAN>Alternatively you could use a REPLACE function:</SPAN></P><LI-CODE lang="markup">| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")</LI-CODE><P>You could also make this an automatic calculated field so that you dont need to include it in your SPL:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="livehybrid_0-1753263245091.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39730i6E84BF4CAB2CA201/image-size/medium?v=v2&amp;px=400" role="button" title="livehybrid_0-1753263245091.png" alt="livehybrid_0-1753263245091.png" /></span></P><P>&nbsp;</P><P>If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:</P><LI-CODE lang="markup"># props.conf # [yourSourcetype] SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Jul 2025 09:36:46 GMT https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750321#M242289 livehybrid 2025-07-23T09:36:46Z https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750325#M242290 <P>Thanks livehybrid,&nbsp;</P><P>The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that.</P><P>Cheers.</P><P>&nbsp;</P> Wed, 23 Jul 2025 10:43:04 GMT https://community.splunk.com/t5/Splunk-Search/Remove-string-from-field-using-REX/m-p/750325#M242290 Splunkie 2025-07-23T10:43:04Z