https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179989#M51808 <P>Hi,<BR /> I'm not sure why you want to avoid <CODE>mode=sed</CODE>. It seems like the correct way. In any case, if you do want to avoid it, the following should do the trick of recognising an A or B at the end:</P> <PRE><CODE>rex field=host "(?&lt;host&gt;.*)[A,B]$" </CODE></PRE> <P>HTH</P> Wed, 13 Aug 2014 10:12:53 GMT echalex 2014-08-13T10:12:53Z https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179988#M51807 <P>Hi!</P> <P>I am changing a string in the host field of output with this format</P> <PRE><CODE>ZX3B1093200198A ZX3B1093200198B </CODE></PRE> <P>The last alpha character is either 'A' or 'B' <BR /> (with that some might be able to guess what the platform is)</P> <P>I can do precisely that with a simple <EM>sed</EM></P> <PRE><CODE>index=relevant index name sourcetype=relevant source type | rex mode=sed field=host "s/[A-B]$//" </CODE></PRE> <P>That, not surprisingly, works. But I would like to do the same with rex, but without resorting to <EM>sed</EM>, which doesn't get used elsewhere.</P> <P>This works;</P> <PRE><CODE>index=relevant index name sourcetype=relevant source type | rex field=host "(?&lt;host&gt;.*).{1}" </CODE></PRE> <P>But I want to specify that only the characters 'A' or 'B' (always uppercase) are removed if present. </P> <P>I tried <CODE>(?&lt;host&gt;.*[A,B]).{1}</CODE> and a few other similar combinations but can't achieve that very last bit.</P> <P>Any pointers or assistance gratefully received!</P> Wed, 13 Aug 2014 08:59:16 GMT https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179988#M51807 avalon 2014-08-13T08:59:16Z https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179989#M51808 <P>Hi,<BR /> I'm not sure why you want to avoid <CODE>mode=sed</CODE>. It seems like the correct way. In any case, if you do want to avoid it, the following should do the trick of recognising an A or B at the end:</P> <PRE><CODE>rex field=host "(?&lt;host&gt;.*)[A,B]$" </CODE></PRE> <P>HTH</P> Wed, 13 Aug 2014 10:12:53 GMT https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179989#M51808 echalex 2014-08-13T10:12:53Z https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179990#M51809 <P>Firstly, I do agree with @echalex about best way for this requirement is to use rex with sed. </P> <P>Keeping your requirement of removing 'A' or 'B' from last part to be removed, if present, try one of following options (run anywhere sample, added rex-sed example as well for comparison)</P> <PRE><CODE>|gentimes start=-1 | eval host="ZX3B1093200198A ZX3B1093200198B ZX3B1093200198" | table host | makemv host | mvexpand host | eval host1=host | rex mode=sed field=host1 "s/[A-B]$//" | rex field=host "(?&lt;host2&gt;.*[^AB])" | eval host3=replace(host,"((\w+\d+)*)([AB])$","\1") | eval host4=rtrim(host,"AB") </CODE></PRE> Wed, 13 Aug 2014 19:45:47 GMT https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179990#M51809 somesoni2 2014-08-13T19:45:47Z https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179991#M51810 <P>Terrific!<BR /> All for the need of a bracket in the right place!</P> <P>The sed routine really looks the most efficient!</P> Wed, 13 Aug 2014 20:08:04 GMT https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179991#M51810 avalon 2014-08-13T20:08:04Z https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179992#M51811 <P>Great answer! Nice to see all of the options available.</P> Wed, 13 Aug 2014 20:09:18 GMT https://community.splunk.com/t5/Splunk-Search/rex-expression-without-resorting-to-mode-sed/m-p/179992#M51811 avalon 2014-08-13T20:09:18Z