topic Re: How to remove a comma from a field value? in Splunk Search

How to remove a comma from a field value?

silasbarnesva — Thu, 11 Feb 2016 01:33:46 GMT

Hi all,

We have a field in Splunk that is populated with filenames (e.g.)

G:/some_directory/somefile.txt

Everything works just fine unless users put a comma in as part of the filename:

G:/some_directory/somefile,somemore.txt

Is there a way to remove any commas in the field in question? I've tried the following with no luck:

sourcetype=somesource | rex mode=sed field=filename "s/,//" | table filename

thx!

Re: How to remove a comma from a field value?

somesoni2 — Thu, 11 Feb 2016 01:57:12 GMT

Try any of following method line2 or line 3(the first line is just to generate some sample events, replace it with your base search)

| gentimes start=-1 | eval filename="G:/some_directory/somefile,somemore.txt" | table filename 
| eval filename1=replace(filename,",","") 
| rex field=filename mode=sed "s/,//"

Re: How to remove a comma from a field value?

silasbarnesva — Thu, 11 Feb 2016 02:16:51 GMT

No dice I'm afraid.

As stated in the question, I've already tried your Line 3 version to no avail. Just tried Line 2 but it doesn't remove those commas which results in other fields being polluted by false data from the field bleeds. Thanks for trying though 🙂

Re: How to remove a comma from a field value?

silasbarnesva — Thu, 11 Feb 2016 03:12:46 GMT

I think the problem here is that the offending comma doesn't actually populate in the extracted field so it's not able to be rex'd out - it's interpretered as a field separator.

To give a full example of a log entry:

2016-02-11 10:01:00,Minor,PC-Name,Continue, - Caller MD5=105202dad5dd174300xxxxxxxxxxxxxx,File Delete,Begin: 2016-02-11 10:01:00,End: 2016-02-11 10:02:00,Rule: Log files written to USB drives | [AC5-1.1] Log writing to USB drives,7100,C:/Program Files (x86)/Microsoft Office/Office14/EXCEL.EXE,0,No Module Name,D:/some_directory/somefile,somemore.xls,User: MrRobot,Domain: EvilCorp,Action Type: ,File size (bytes): 500000,Device ID: USBSTOR\Disk&Ven_Verbatim&Prod_&Rev_8.00\19120xxxxxxxxx&0

So we know that between Name, and ,User, it shouldn't matter how many commas appear - everything between those two identifiers should = filename.

Re: How to remove a comma from a field value?

Jeremiah — Thu, 11 Feb 2016 03:27:44 GMT

So the actual problem is that the field is truncated? In your example, the filename field would contain

D:/some_directory/somefile

But you want it to contain

D:/some_directory/somefile,somemore.xls

Could you just hack the field like this?

| rex "Name,(?<filename>.*),User:"

Re: How to remove a comma from a field value?

silasbarnesva — Tue, 29 Sep 2020 08:43:45 GMT

Thanks Jeremiah,

That works to extract the correct value into the field, but that damn comma still screws up the rest of the field values by throwing them off when they are extracted...for example, the File_Size field returns the User value and the Device_ID field returns the Domain value for affected records...

Re: How to remove a comma from a field value?

Jeremiah — Thu, 11 Feb 2016 04:18:46 GMT

Ahh ok. Can you put up your props/transforms for this sourcetype? Let's see how the extraction is configured. Thats where I think you'll need to make changes.