Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to remove part of the string using rex

aaa2324
Explorer
‎05-02-2021 10:22 PM

I have the below string and would like to remove the date and time part, please help with the query

*abc -04/30, 08:14:07 - c

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-02-2021 10:56 PM 
| makeresults
| eval _raw="abc -04/30, 08:14:07 - c"
| rex mode=sed "s/\-\d\d\/\d\d,\s\d\d:\d\d:\d\d\s/- /g"
0 Karma
Reply

aaa2324
Explorer
‎05-03-2021 01:18 AM

Thanks  however not getting the desired results, if the date and time are dynamic and keeps changing then please help with the complete query. I want to remove the date and time completely and show the results 

abc -04/30, 08:14:07 - c

abc -04/28, 08:15:06 - c

abc -04/29, 08:12:09 - a

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2021 01:35 AM

Please explain how the suggested rex does not do as you expected. It might be clearer if you provide some real anonymised events with which to work with.

0 Karma
Reply

aaa2324
Explorer
‎05-03-2021 01:59 AM

Sorry if the question was not clear.

my intention is to remove date and time fields from the below set of input.

let’s say the column xyz has below contents

abc -04/30, 08:14:07 - c

abc -04/28, 08:15:06 - c

abc -04/29, 08:12:09 - a

my result should be something like below only remove the date and time and display rest of the fields 

abc - - c

abc - - c

abc - - a

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2021 02:12 AM 
| makeresults
| eval xyz="abc -04/30, 08:14:07 - c
abc -04/28, 08:15:06 - c
abc -04/29, 08:12:09 - a"
| rex field=xyz max_match=0 "(?<xyz>.*)\n*"
| mvexpand xyz
| rex mode=sed field=xyz "s/\-\d\d\/\d\d,\s\d\d:\d\d:\d\d\s/- /g"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...