Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you remove varying characters from a string in a field?

newill
New Member
‎11-19-2018 01:39 PM

Hi again!

I need help with removing characters from a string. We have a tool that generates a user field that is typically domain\user. I have used replace to fix that issue because domain is static so I do replace domain* with * in user. However, sometimes the user is a local user account on a workstation and the "domain" becomes the computer name, which varies for each computer, so my previous trick won't work. How can I remove varying computer names that could be different lengths and only report the user (which could also be different lengths.

Examples

computer\user
computer1\user
computer2\user1
comp\us1

...and all I want is what is on the right side of the \

Thanks!

Tags (1)
0 Karma
Reply

anthonymelita
Contributor
‎11-19-2018 01:55 PM

Sounds like you will want to do a regex extraction. Something like

|rex field=user "(?P<User>\w+$)"

Note: I named the extracted user field with uppercase U to make it different from the originating field to avoid confusion.

0 Karma
Reply

newill
New Member
‎11-19-2018 01:59 PM

I don't understand what you just said. I have not done any regexing in my life. Is there a good guide on the rex command? The one I found for the rex command wasn't all that helpful to me.

0 Karma
Reply

anthonymelita
Contributor
‎11-19-2018 02:53 PM

I barely know regex myself.
The Splunk docs for the | rex command are http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Rex

To break down the command I wrote some.

| rex is the splunk command, you gathered that.
field=user is specifying the field name that you want to examine from your Splunk event(s). If you want to examine the whole event you can use "field=_raw"
() parentheses is a regex capture group. in this case we only have one, but it is possible to have many
?P<User> is saying the data we match should be extracted to a new Splunk field named User
\w+$ is the regular expression to match on. In this case \w is a word character + means one or more and $ means anchored from the right.

This is a very basic expression based on the little bit of info provided. It could very easily capture and extract data that you don't want it to if you were to apply it against the _raw event. That's why you want to isolate it to the specific field computer\user exists in.

For learning and practicing regex in general, there are many websites to do this on. regexr, and regex101 come to mind.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top