i have got a field extraction called mail. So i get different kind of mails as output.
But it appears the following problem: All the mail adresses have a "." at the end and i want to remove the ".".
I tried to solve the problem by extracting the expression without the "." but it won't work.
|rex field=mail "(?<mail>[\s]+)-."
Thanks for your help!
If you really want to change the field with a Splunk search, then try the following:
| eval mail=substr(mail,0,len(mail)-1)
However, I think the better approach is to improve the actual field extraction. Can you provide the field extraction under Settings/Fields/Field extractions?