Solved: How to remove characters from the end of a field?

ajdyer2000 · ‎08-14-2018

I have a file called "HelpDeskUsers"

I would like to remove the names from the end of the field.

HelpDesk Users
134-ABC-HelpDesk-Admins Joe
127-ABC-HelpDesk-Admins Mary
178-ABC-HelpDesk-Admins Daniel
189-ABC-HelpDesk-Admins Eva
139-ABC-HelpDesk-Admins Alan

Results:
HelpDesk Users
134-ABC-HelpDesk-Admins 
127-ABC-HelpDesk-Admins 
178-ABC-HelpDesk-Admins 
189-ABC-HelpDesk-Admins 
139-ABC-HelpDesk-Admins

Thanks

somesoni2 · ‎08-14-2018

Try like this

your current search with field "HelpDeskUsers"
| eval "HelpDeskUsers"=replace('HelpDeskUsers',"^(.+)\s+\S+$","\1")

View solution in original post

ajdyer2000 · ‎08-16-2018

Works great thanks

marycordova · ‎08-14-2018

| rex field=HelpDeskUsers "(?<HelpDeskUsers>^[^\s]*)"

pipe | splunk command rex applied to field=fieldname quote paren "( to start the regex capture and name the new field ?<newfieldname> regex ^[^\s]* quote paren to close )"

i like this book to help with regex https://www.amazon.com/Teach-Yourself-Regular-Expressions-Minutes/dp/0672325667

@marycordova

Ayn · ‎08-14-2018

If what you're after is everything before the first space character, this should work:

... | eval HelpDeskUsers=mvindex(split(HelpDeskUsers," "),0)

That is, make a multivalue field out of HelpDeskUsers by splitting it on space characters, then grab the first entry in the newly created multivalue field.

somesoni2 · ‎08-14-2018

Try like this

your current search with field "HelpDeskUsers"
| eval "HelpDeskUsers"=replace('HelpDeskUsers',"^(.+)\s+\S+$","\1")

How to remove characters from the end of a field?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7