Archive

Regex help please

Explorer

I have field username - they show up as username=mike and in some cases username=mike. with a dot in the end. How do I remove the dot from end? This is messing my stats values(xyz) by username.

Tags (1)
0 Karma

Champion

Hi

Try this also

........| eval username=replace(username,".$","")
0 Karma

Esteemed Legend

There are many ways; here is one:

... | rex field=username mode=sed "s/\.+$//g"
0 Karma

Contributor

Hi dyude @dmenon ,

You can try this,

rex field=username "(?P<username>[^\.]+)"
0 Karma

Builder

If a period is legal inside, but the line always has to end with a period, this might work for you:
|rex field=username "username=(?<username>.+)\.$"

0 Karma

SplunkTrust
SplunkTrust

Hi @dmenon,
if you username hasn't spaces, you can try this:

| rex field=username "^(?<username>\w+)"

that you can test at https://regex101.com/r/mfLTm3/1

if instead you could have spaces in the username field, you could try this:

| rex field=username "^(?<username>.+)(\.|$)"

that you can test at https://regex101.com/r/mfLTm3/2

Ciao.
Giuseppe

0 Karma