Solved: Re: Can I ignore some words form a field?

christianubeda · ‎08-07-2019

Hi team!

I have a problem.

I want to ignore some words from a field.

This what I have: "Aplicación restringida detectada: MS Windows Games (Game)"

I only need after ":" and before "(Game)"

How can I do it?

Thank you!

mayurr98 · ‎08-07-2019

Try this run anywhere search

| makeresults 
| eval data="Aplicación restringida detectada: MS Windows Games (Game)" 
| rex field=data ":\s+(?P<NewField>[^\(]+)\s+"

View solution in original post

mayurr98 · ‎08-07-2019

Try this run anywhere search

| makeresults 
| eval data="Aplicación restringida detectada: MS Windows Games (Game)" 
| rex field=data ":\s+(?P<NewField>[^\(]+)\s+"

gaurav_maniar · ‎08-07-2019

Hi,

You can create new field from the existing field, append your existing query with following

| rex field=old_field "\:\s(?P<new_field>[^\(\)]+)\s?" | table old_field, new_field

old_field - current field name with all words
new_field - new field with words after ":" and before "(Game)"

Accept & Upvote the answer if it helps.

happy splunking.......!!!!

kmorris_splunk · ‎08-07-2019

You could create a new field using regex, that strips out the piece you need. This would be the easiest way. You could do this through the field extractor GUI or you could do it in the search using rex:

Here is a regex that would work using the rex command in the search:

YOUR BASE SEARCH
| rex field=originalfield ":(?<newfield>[\w ]+)\("

Can I ignore some words form a field?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability