Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove everything after a specific character from a field

Shashank_87
Explorer
‎04-20-2020 07:11 AM

Hi I want to remove everything after a some characters like ? OR & when they come in a field. For example -

/temp/test?csrkyyt=12334

/test1/test2&csrkyyt=7968676

Can someone help?

0 Karma
Reply

vnravikumar
Champion
‎04-20-2020 07:56 PM

Hi @Shashank_87

Check this

| makeresults 
| eval text="/temp/test?csrkyyt=12334##/test1/test2&csrkyyt=7968676" 
| makemv delim="##" text 
| mvexpand text 
| rex field=text "(?P<output>^[^(?|&)]+)"
0 Karma
Reply

manjunathmeti
Champion
‎04-20-2020 07:24 AM

You can use rex with sed to remove all characters after ? OR &.

| rex mode=sed field=FIELD_NAME "s/[&?].*//g"
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2020 07:16 AM

Hi @Shashank_87,
you can use the rex comman, something like this:

index=my_index
| rex field=my_field "^(?<my_field>[^\&\?]*)"
| ...

that you can test at https://regex101.com/r/f8lmIs/1 .

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...