How do I remove a dash (-) from the Account_Name f...

AbelCruz · ‎12-17-2018

The Account_Name and other fields show a dash (-) as a value in addition to the actual Account_Name. I can't filter it out since it does exclude the actual value. How can the field value be rectified to show only the proper value?

spayneort · ‎12-17-2018

##### Explanation for SEDCMD Extractions #####
## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"

##### SEDCMD Extractions #####
#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g

Source

Add to props.conf, remove the # before SEDCMD-windows_security_event_formater.

twinspop · ‎12-17-2018

mvfilter?

| eval Account_Name=mvfilter(!match(Account_Name,"^-$"))

saurabhkharkar · ‎12-17-2018

Try this -

| eval Account_Name = mvindex(Account_Name,1)

AbelCruz · ‎12-17-2018

Thank you for the suggestion but I need to find the way to fix the filed at indexing so it won't be split in two values and the dash excluded. Excluding/masking it during search will require for me to be always available when a user wants to do a search

How do I remove a dash (-) from the Account_Name field?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How do I remove a dash (-) from the Account_Name field?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!