Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do you remove varying characters from a string...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you remove varying characters from a string in a field?
newill
New Member
11-19-2018
01:39 PM
Hi again!
I need help with removing characters from a string. We have a tool that generates a user field that is typically domain\user. I have used replace to fix that issue because domain is static so I do replace domain* with * in user. However, sometimes the user is a local user account on a workstation and the "domain" becomes the computer name, which varies for each computer, so my previous trick won't work. How can I remove varying computer names that could be different lengths and only report the user (which could also be different lengths.
Examples
computer\user
computer1\user
computer2\user1
comp\us1
...and all I want is what is on the right side of the \
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
11-19-2018
01:55 PM
Sounds like you will want to do a regex extraction. Something like
|rex field=user "(?P<User>\w+$)"
Note: I named the extracted user field with uppercase U to make it different from the originating field to avoid confusion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
newill
New Member
11-19-2018
01:59 PM
I don't understand what you just said. I have not done any regexing in my life. Is there a good guide on the rex command? The one I found for the rex command wasn't all that helpful to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
11-19-2018
02:53 PM
I barely know regex myself.
The Splunk docs for the | rex command are http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Rex
To break down the command I wrote some.
| rex is the splunk command, you gathered that.
field=user is specifying the field name that you want to examine from your Splunk event(s). If you want to examine the whole event you can use "field=_raw"
() parentheses is a regex capture group. in this case we only have one, but it is possible to have many
?P<User> is saying the data we match should be extracted to a new Splunk field named User
\w+$ is the regular expression to match on. In this case \w is a word character + means one or more and $ means anchored from the right.
This is a very basic expression based on the little bit of info provided. It could very easily capture and extract data that you don't want it to if you were to apply it against the _raw event. That's why you want to isolate it to the specific field computer\user exists in.
For learning and practicing regex in general, there are many websites to do this on. regexr, and regex101 come to mind.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
