Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove characters from the end of a field?

ajdyer2000
Path Finder
‎08-14-2018 12:54 PM

I have a file called "HelpDeskUsers"

I would like to remove the names from the end of the field.

HelpDesk Users
134-ABC-HelpDesk-Admins Joe
127-ABC-HelpDesk-Admins Mary
178-ABC-HelpDesk-Admins Daniel
189-ABC-HelpDesk-Admins Eva
139-ABC-HelpDesk-Admins Alan

Results:
HelpDesk Users
134-ABC-HelpDesk-Admins 
127-ABC-HelpDesk-Admins 
178-ABC-HelpDesk-Admins 
189-ABC-HelpDesk-Admins 
139-ABC-HelpDesk-Admins

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-14-2018 01:37 PM

Try like this

your current search with field "HelpDeskUsers"
| eval "HelpDeskUsers"=replace('HelpDeskUsers',"^(.+)\s+\S+$","\1")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ajdyer2000
Path Finder
‎08-16-2018 08:30 AM

Works great thanks

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎08-14-2018 04:52 PM

| rex field=HelpDeskUsers "(?<HelpDeskUsers>^[^\s]*)"

pipe | splunk command rex applied to field=fieldname quote paren "( to start the regex capture and name the new field ?<newfieldname> regex ^[^\s]* quote paren to close )"

i like this book to help with regex https://www.amazon.com/Teach-Yourself-Regular-Expressions-Minutes/dp/0672325667

@marycordova
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-14-2018 01:42 PM

If what you're after is everything before the first space character, this should work:

... | eval HelpDeskUsers=mvindex(split(HelpDeskUsers," "),0)

That is, make a multivalue field out of HelpDeskUsers by splitting it on space characters, then grab the first entry in the newly created multivalue field.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-14-2018 01:37 PM

Try like this

your current search with field "HelpDeskUsers"
| eval "HelpDeskUsers"=replace('HelpDeskUsers',"^(.+)\s+\S+$","\1")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...