How to remove everything after a specific characte...

Shashank_87 · ‎04-20-2020

Hi I want to remove everything after a some characters like ? OR & when they come in a field. For example -

/temp/test?csrkyyt=12334

/test1/test2&csrkyyt=7968676

Can someone help?

vnravikumar · ‎04-20-2020

Hi @Shashank_87

Check this

| makeresults 
| eval text="/temp/test?csrkyyt=12334##/test1/test2&csrkyyt=7968676" 
| makemv delim="##" text 
| mvexpand text 
| rex field=text "(?P<output>^[^(?|&)]+)"

manjunathmeti · ‎04-20-2020

You can use rex with sed to remove all characters after ? OR &.

| rex mode=sed field=FIELD_NAME "s/[&?].*//g"

gcusello · ‎04-20-2020

Hi @Shashank_87,
you can use the rex comman, something like this:

index=my_index
| rex field=my_field "^(?<my_field>[^\&\?]*)"
| ...

that you can test at https://regex101.com/r/f8lmIs/1 .

Ciao.
Giuseppe

How to remove everything after a specific character from a field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation