How do I remove a dash (-) from the Account_Name f...

AbelCruz · ‎12-17-2018

The Account_Name and other fields show a dash (-) as a value in addition to the actual Account_Name. I can't filter it out since it does exclude the actual value. How can the field value be rectified to show only the proper value?

spayneort · ‎12-17-2018

##### Explanation for SEDCMD Extractions #####
## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"

##### SEDCMD Extractions #####
#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g

Source

Add to props.conf, remove the # before SEDCMD-windows_security_event_formater.

twinspop · ‎12-17-2018

mvfilter?

| eval Account_Name=mvfilter(!match(Account_Name,"^-$"))

saurabhkharkar · ‎12-17-2018

Try this -

| eval Account_Name = mvindex(Account_Name,1)

AbelCruz · ‎12-17-2018

Thank you for the suggestion but I need to find the way to fix the filed at indexing so it won't be split in two values and the dash excluded. Excluding/masking it during search will require for me to be always available when a user wants to do a search

How do I remove a dash (-) from the Account_Name field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation