Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create a regular expression to remove unwanted data from a column based on a field?

DataOrg
Builder
‎10-29-2018 05:23 AM

i want to apply a regular expression to remove unwanted data in a column based on the field.

If field value starts with android, I want to match and remove after 2nd word completely. Vice versa, if word starts with apple, i want to remove after 3 rd words. Please help with this regular expression...

answer needed as below

application_name ==== field after extraction
android gingerbird 4.5======android gingerbird
android orea 3.4=====android orea
android cake 6.7===android cake
apple ios make 6.7==== apple ios make
apple iwatch device 4.5====apple iwatch device

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

msivill_splunk
Splunk Employee
Splunk Employee
‎10-29-2018 08:16 AM

There might be a slicker way of doing this but this works (but not in one combined regex). Everything up to | fields - count generates some test data to work against.

| makeresults count=5 
| streamstats count
| eval application_name = CASE ( count==1, "android gingerbird 4.5", count==2, "android orea 3.4", count==3, "android cake 6.7", count==4, "apple ios make 6.7", count==5, "apple iwatch device 4.5") 
| fields - count
| rex field=application_name "^(?<make>[^\s]+).*" 
| rex field=application_name "^(?<temp_two_fields>[^\s]+\s[^\s]+).*"
| rex field=application_name "^(?<temp_three_fields>[^\s]+\s[^\s]+\s[^\s]+).*"
| eval make_model = CASE ( make=="android", temp_two_fields, make=="apple", temp_three_fields ) 
| fields - temp_two_fields, temp_three_fields

View solution in original post

Reply
Solved! Jump to solution
Solution

msivill_splunk
Splunk Employee
Splunk Employee
‎10-29-2018 08:16 AM

There might be a slicker way of doing this but this works (but not in one combined regex). Everything up to | fields - count generates some test data to work against.

| makeresults count=5 
| streamstats count
| eval application_name = CASE ( count==1, "android gingerbird 4.5", count==2, "android orea 3.4", count==3, "android cake 6.7", count==4, "apple ios make 6.7", count==5, "apple iwatch device 4.5") 
| fields - count
| rex field=application_name "^(?<make>[^\s]+).*" 
| rex field=application_name "^(?<temp_two_fields>[^\s]+\s[^\s]+).*"
| rex field=application_name "^(?<temp_three_fields>[^\s]+\s[^\s]+\s[^\s]+).*"
| eval make_model = CASE ( make=="android", temp_two_fields, make=="apple", temp_three_fields ) 
| fields - temp_two_fields, temp_three_fields
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎10-29-2018 05:31 AM

Hi, Can you paste some sample events which has this data.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎10-29-2018 05:44 AM

can you try below:-

|rex field=application_name "^(?<application_name >[^\d]+)"
Reply
Solved! Jump to solution

DataOrg
Builder
‎10-29-2018 06:22 AM

its just a column value.
how can i apply based on field? @sudosplunk

0 Karma
Reply
Solved! Jump to solution

gaurav_maniar
Builder
‎11-01-2018 04:41 AM

do you want to create new field name/column according to the condition?
OR
change the values/create a new column with changed values?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...