topic Re: How to remove a prefix on a field during search? in Splunk Search

How to remove a prefix on a field during search?

aba83 — Thu, 18 May 2017 23:02:25 GMT

Hello, I'm trying to normalize a field during search. I have the field "user" and some of the fields are "NAU\abc123". I'm trying to remove the prefix "NAU\". All I want is the abc123 part of it. Is there a way to remove that prefix in search? Thanks in advance.

Re: How to remove a prefix on a field during search?

kmorris_splunk — Fri, 19 May 2017 01:53:34 GMT

You can use rex in your search. Try this out.

[YOUR BASE SEARCH]
| rex field=user "\w{3}\\\(?<user2>\S+)"

Re: How to remove a prefix on a field during search?

adonio — Fri, 19 May 2017 01:55:27 GMT

hello aba,
a little confusing as you suggest both "user" and "NAU\abc123" are fields, are NAU\abc123 fields or values under the field user?

Re: How to remove a prefix on a field during search?

cmerriman — Fri, 19 May 2017 11:52:53 GMT

i think you have one extra backslash in here. \w{3}\\(?<user2>\S+)

Re: How to remove a prefix on a field during search?

kmorris_splunk — Fri, 19 May 2017 12:37:14 GMT

It was escaping the parenthesis with only 2. I had to add the extra. This is something to do with the Rex command.

Re: How to remove a prefix on a field during search?

aba83 — Fri, 19 May 2017 19:16:29 GMT

Sorry, user is the column name. It's just sometimes those fields in the column populate either with just the abc123 or they populate with NAU\abc123. They aren't consistent. Sorry for the confusion. I'm trying to make it so every field in the user column is just the userid without the prefix "NAU\".

Re: How to remove a prefix on a field during search?

aba83 — Fri, 19 May 2017 19:47:36 GMT

This worked, thank you!