How to remove everything after a specific characte...

Shashank_87 · ‎04-20-2020

Hi I want to remove everything after a some characters like ? OR & when they come in a field. For example -

/temp/test?csrkyyt=12334

/test1/test2&csrkyyt=7968676

Can someone help?

vnravikumar · ‎04-20-2020

Hi @Shashank_87

Check this

| makeresults 
| eval text="/temp/test?csrkyyt=12334##/test1/test2&csrkyyt=7968676" 
| makemv delim="##" text 
| mvexpand text 
| rex field=text "(?P<output>^[^(?|&)]+)"

manjunathmeti · ‎04-20-2020

You can use rex with sed to remove all characters after ? OR &.

| rex mode=sed field=FIELD_NAME "s/[&?].*//g"

gcusello · ‎04-20-2020

Hi @Shashank_87,
you can use the rex comman, something like this:

index=my_index
| rex field=my_field "^(?<my_field>[^\&\?]*)"
| ...

that you can test at https://regex101.com/r/f8lmIs/1 .

Ciao.
Giuseppe

How to remove everything after a specific character from a field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation