Solved: How do you remove part of a field value?

zikpefu · ‎07-18-2018

I am trying to remove the +'s in between words for my table (i.e. stainless+steel to be just stainless steel) and my field name is SearchTerm. I tried the eval replace command method but it keeps saying Regex quantifier does not follow repeatable item; I do not know what to do. Any help would be appreciated.

My eval command:

| eval SearchTerm=replace(SearchTerm,"+"," ")

Edit: Spelling

woodcock · ‎07-18-2018

You need to escape like this (because + is a special command character):

 | eval SearchTerm=replace(SearchTerm,"\+"," ")

I would do it like this:

| rex field=SearchTerm mode=sed "s/\+/ /g"

View solution in original post

woodcock · ‎07-18-2018

You need to escape like this (because + is a special command character):

 | eval SearchTerm=replace(SearchTerm,"\+"," ")

I would do it like this:

| rex field=SearchTerm mode=sed "s/\+/ /g"

renjith_nair · ‎07-18-2018

Hi @zikpefu

escape '+'

eval SearchTerm=replace(SearchTerm,"\+"," ")

---
What goes around comes around. If it helps, hit it with Karma 🙂

How do you remove part of a field value?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

How do you remove part of a field value?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle