Re: How to remove part of the string using rex

aaa2324 · ‎05-02-2021

I have the below string and would like to remove the date and time part, please help with the query

*abc -04/30, 08:14:07 - c

ITWhisperer · ‎05-02-2021

| makeresults
| eval _raw="abc -04/30, 08:14:07 - c"
| rex mode=sed "s/\-\d\d\/\d\d,\s\d\d:\d\d:\d\d\s/- /g"

aaa2324 · ‎05-03-2021

Thanks however not getting the desired results, if the date and time are dynamic and keeps changing then please help with the complete query. I want to remove the date and time completely and show the results

abc -04/30, 08:14:07 - c

abc -04/28, 08:15:06 - c

abc -04/29, 08:12:09 - a

ITWhisperer · ‎05-03-2021

Please explain how the suggested rex does not do as you expected. It might be clearer if you provide some real anonymised events with which to work with.

aaa2324 · ‎05-03-2021

Sorry if the question was not clear.

my intention is to remove date and time fields from the below set of input.

let’s say the column xyz has below contents

abc -04/30, 08:14:07 - c

abc -04/28, 08:15:06 - c

abc -04/29, 08:12:09 - a

my result should be something like below only remove the date and time and display rest of the fields

abc - - c

abc - - a

ITWhisperer · ‎05-03-2021

| makeresults
| eval xyz="abc -04/30, 08:14:07 - c
abc -04/28, 08:15:06 - c
abc -04/29, 08:12:09 - a"
| rex field=xyz max_match=0 "(?<xyz>.*)\n*"
| mvexpand xyz
| rex mode=sed field=xyz "s/\-\d\d\/\d\d,\s\d\d:\d\d:\d\d\s/- /g"

How to remove part of the string using rex

source

time

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!