Splunk Search

Can you help me create a regular expression to remove unwanted data from a column based on a field?

DataOrg
Builder

i want to apply a regular expression to remove unwanted data in a column based on the field.

If field value starts with android, I want to match and remove after 2nd word completely. Vice versa, if word starts with apple, i want to remove after 3 rd words. Please help with this regular expression...

answer needed as below

application_name ==== field after extraction
android gingerbird 4.5======android gingerbird
android orea 3.4=====android orea
android cake 6.7===android cake
apple ios make 6.7==== apple ios make
apple iwatch device 4.5====apple iwatch device

0 Karma
1 Solution

msivill_splunk
Splunk Employee
Splunk Employee

There might be a slicker way of doing this but this works (but not in one combined regex). Everything up to | fields - count generates some test data to work against.

| makeresults count=5 
| streamstats count
| eval application_name = CASE ( count==1, "android gingerbird 4.5", count==2, "android orea 3.4", count==3, "android cake 6.7", count==4, "apple ios make 6.7", count==5, "apple iwatch device 4.5") 
| fields - count
| rex field=application_name "^(?<make>[^\s]+).*" 
| rex field=application_name "^(?<temp_two_fields>[^\s]+\s[^\s]+).*"
| rex field=application_name "^(?<temp_three_fields>[^\s]+\s[^\s]+\s[^\s]+).*"
| eval make_model = CASE ( make=="android", temp_two_fields, make=="apple", temp_three_fields ) 
| fields - temp_two_fields, temp_three_fields

View solution in original post

msivill_splunk
Splunk Employee
Splunk Employee

There might be a slicker way of doing this but this works (but not in one combined regex). Everything up to | fields - count generates some test data to work against.

| makeresults count=5 
| streamstats count
| eval application_name = CASE ( count==1, "android gingerbird 4.5", count==2, "android orea 3.4", count==3, "android cake 6.7", count==4, "apple ios make 6.7", count==5, "apple iwatch device 4.5") 
| fields - count
| rex field=application_name "^(?<make>[^\s]+).*" 
| rex field=application_name "^(?<temp_two_fields>[^\s]+\s[^\s]+).*"
| rex field=application_name "^(?<temp_three_fields>[^\s]+\s[^\s]+\s[^\s]+).*"
| eval make_model = CASE ( make=="android", temp_two_fields, make=="apple", temp_three_fields ) 
| fields - temp_two_fields, temp_three_fields

sudosplunk
Motivator

Hi, Can you paste some sample events which has this data.

0 Karma

493669
Super Champion

can you try below:-

|rex field=application_name "^(?<application_name >[^\d]+)"

DataOrg
Builder

its just a column value.
how can i apply based on field? @sudosplunk

0 Karma

gaurav_maniar
Builder

do you want to create new field name/column according to the condition?
OR
change the values/create a new column with changed values?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...