Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I ignore some words form a field?

christianubeda
Path Finder
‎08-07-2019 06:30 AM

Hi team!

I have a problem.

I want to ignore some words from a field.

This what I have: "Aplicación restringida detectada: MS Windows Games (Game)"

I only need after ":" and before "(Game)"

How can I do it?

Thank you!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-07-2019 07:21 AM

Try this run anywhere search

| makeresults 
| eval data="Aplicación restringida detectada: MS Windows Games (Game)" 
| rex field=data ":\s+(?P<NewField>[^\(]+)\s+"

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-07-2019 07:21 AM

Try this run anywhere search

| makeresults 
| eval data="Aplicación restringida detectada: MS Windows Games (Game)" 
| rex field=data ":\s+(?P<NewField>[^\(]+)\s+"
Reply
Solved! Jump to solution

gaurav_maniar
Builder
‎08-07-2019 06:54 AM

Hi,

You can create new field from the existing field, append your existing query with following

| rex field=old_field "\:\s(?P<new_field>[^\(\)]+)\s?" | table old_field, new_field

old_field - current field name with all words
new_field - new field with words after ":" and before "(Game)"

Accept & Upvote the answer if it helps.

happy splunking.......!!!!

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-07-2019 06:45 AM

You could create a new field using regex, that strips out the piece you need. This would be the easiest way. You could do this through the field extractor GUI or you could do it in the search using rex:

Here is a regex that would work using the rex command in the search:

YOUR BASE SEARCH
| rex field=originalfield ":(?<newfield>[\w ]+)\("
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...