Dashboards & Visualizations

Remove everything before backslash in string?

Nomarja
Engager

I am trying to remove some unwanted characters before the backslash, but it is ignoring some machines as they have different name standards.

I want to remove the domain name and machine name from the Local Administrator group.

 My data comes like this in one string as below

labmachine000r\administrator labmachine000d\support  labdomain\admingroup labdomain\helpdesk

I managed to remove the characters before the backslash using this

 

| eval adminlocal=replace(adminlocal, "\w+(\\\\)+","")

 

and my result is like below:

administrator support  admingroup helpdesk

That is working fine for the machine above, but if I have a machine name like "L-02labmachine000r", the replace command gives the result like this:

L-administrator L-support admingroup helpdesk

Is there any way to adjust my replace command to cover that machine name?

 

 

Labels (1)
Tags (2)
0 Karma
1 Solution

Gr0und_Z3r0
Contributor

Something like this....

| makeresults
| eval adminlocal = "labmachine000r\administrator labmachine000d\support labdomain\admingroup labdomain\helpdesk"
| eval adminlocal=replace(adminlocal, "\w+(\\\\)+","")
| eval mc = "L-02labmachine000r\administrator L-02labmachine000r\support L-02labmachine000r\admingroup L-02labmachine000r\helpdesk labdomain\admingroup labdomain\helpdesk L-99labmachine000r\admingroup L-0216labmachine000r\helpdesk"
| eval new_mc=replace(mc,"[\w\d\-]+(\\\)+","")

Gr0und_Z3r0_0-1637843842052.png

 

Please upvote if it helps.

View solution in original post

Nomarja
Engager

Thanks @Gr0und_Z3r0 , that did the trick. I appreciate your help

0 Karma

Gr0und_Z3r0
Contributor

Cheers mate. Happy Splunking!

0 Karma

Gr0und_Z3r0
Contributor

Something like this....

| makeresults
| eval adminlocal = "labmachine000r\administrator labmachine000d\support labdomain\admingroup labdomain\helpdesk"
| eval adminlocal=replace(adminlocal, "\w+(\\\\)+","")
| eval mc = "L-02labmachine000r\administrator L-02labmachine000r\support L-02labmachine000r\admingroup L-02labmachine000r\helpdesk labdomain\admingroup labdomain\helpdesk L-99labmachine000r\admingroup L-0216labmachine000r\helpdesk"
| eval new_mc=replace(mc,"[\w\d\-]+(\\\)+","")

Gr0und_Z3r0_0-1637843842052.png

 

Please upvote if it helps.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...