Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove a group of characters for each value from list/multivalue.

dashield
Explorer
‎11-02-2020 05:38 AM

String of variable alert_type:

|detail.action=blocked|detail.devicename=hd03|detail.virus=fec_virus_macro_sic_1|detail.sha256=fd8a5b3ea9e59d3f863822cd2dddfbfded034f8ddad351c909732f18b1a82662|detail.md5=fecd3f3d9a9233c234bf0b455f73f65b

Objective:

Split the string by "|" and remove the "=" and followed characters.  Something like rstrip command however it wasn't working with multivalue.

E.g.

detail.action
detail.devicename
detail.virus
detail.sha256
detail.md5

It seems I need to used the foreach command however I'm not sure how i will used it.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2020 02:16 PM 
| rex max_match=0 field=alert_type "\|?(?<name>[^=]+)[^\|]+\|?"

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2020 07:53 AM

If it was in SPL this expression would work in rex, but since you tagged it as transforms.conf, I don't know what adjustments you might need but at least it might get you part of the way there

 

\|?(?<name>[^=]+)[^\|]+\|?

 

 

Reply
Solved! Jump to solution

dashield
Explorer
‎11-02-2020 01:11 PM

Apologize I think I mistagged it. It was for SPL only.

It able to get the value of the first key (detail.action) after the split with "|". Is there a way I could get the rest of them?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2020 02:16 PM 
| rex max_match=0 field=alert_type "\|?(?<name>[^=]+)[^\|]+\|?"
Reply
Solved! Jump to solution

dashield
Explorer
‎11-02-2020 03:59 PM

You are amazing... Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-02-2020 07:52 AM

Please clarify.  Is the field in question a string or a multi-value field?

The foreach command doesn't work on multi-value fields.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dashield
Explorer
‎11-02-2020 01:10 PM

it was a string.

I need to split it with "|" then remove the values after the "="

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...