topic Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field? in Splunk Search

How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

amoldesai — Mon, 06 Jun 2016 17:54:55 GMT

Hi,

I need to remove square brackets and content within it from a field in a search.

eg:
Input: My name is John [Employee]
Output: My name is John

I tried with the following expression:

rex mode=sed field="name" "s/\[[^]]*//"

It returns output as: My name is John ]

I don't want the closing square bracket.

How do I modify the above pattern so that I get the desired output?

Thanks

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

richgalloway — Mon, 06 Jun 2016 18:04:51 GMT

Your regex matches everything except the closing square bracket so that's why the closing square bracket remains. Try this expression:

rex mode=sed field=name "s/\[[\w\]]*//"

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

sundareshr — Mon, 06 Jun 2016 18:08:02 GMT

Try this

| rex mode=sed field=name "s/(\[.*\])//g"

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

amoldesai — Mon, 06 Jun 2016 18:20:34 GMT

Thanks for your quick reply.

Sorry I did not mention that content in the bracket contains space character.

Using the sed expression that you provided , here is the input and output :

input : My name is John [Employee Name]

output : My name is John Name]

I need the output as: My name is John

Thanks

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

richgalloway — Mon, 06 Jun 2016 18:24:20 GMT

Insert a space in the regex.

rex mode=sed field=name "s/\[[\w\s\]]*//"

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

somesoni2 — Mon, 06 Jun 2016 18:29:07 GMT

The safest option would be this

rex mode=sed field="name" "s/\[[^\]]+\]//"

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

amoldesai — Mon, 06 Jun 2016 19:19:13 GMT

Thank you so much all of you for quickly looking into this problem. But still it does not work :

@richgalloway:

rex mode=sed field=name "s/\[[\w\s\]]*//"

output: No result found

@somesoni2:

rex mode=sed field="name" "s/\[[^\]]+\]//"

output: No result found

Sundareshr:

rex mode=sed field=name "s/(\[.*\])//g"

output: No result found

Here is the precise input string:

Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]

(with just Customer name replaced with XYZ)

In fact, I tested all the above regular expression using online website: https://regex101.com/ and found all above expressions are valid and return desired results.

But in the context of Splunk search, it fails for me. Any idea?

I am using Splunk 6.3 .

Here is the complete search [productFamily is the field in consideration] :

[|inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) |rex mode=sed field="productFamily" "s/[[\w\s]]*//" ]  |table productFamily

Thanks

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

somesoni2 — Mon, 06 Jun 2016 20:35:21 GMT

Let's gets the regex part first. Try this runanywhere sample search and let me know if the output is what you wanted.

| gentimes start=-1 | eval name=" Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]" | table name | eval orig_name=name| rex mode=sed field="name" "s/\[[^\]]+\]//"

Try this as well (your query)

 |inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) | rex mode=sed field="productFamily" "s/\[[^\]]+\]//"  |table productFamily

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

Masa — Mon, 06 Jun 2016 23:10:29 GMT

Please update this description with more detail information you described in a part of answers so that readers can understand your question clearer.

Re: How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

amoldesai — Tue, 07 Jun 2016 16:08:51 GMT

The first runanywhere sample search works fine and even the second one.But when run in the context of my query which has subsearch, it does not work.I am not sure on the root cause though.Fortunately, with the below query , I am able to get desired result:
|makemv productFamily delim=" ["|eval productFamily=mvindex(productFamily, 0)

I have confirmed the regular expression provided by you and other boarders is correct using the runanywhere sample. Thanks again for your help.