Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help With Event Cleanup - Remove "-"

ghostdog920
Path Finder
‎08-07-2020 07:04 AM

I am having a problem with what i believe is writing a regex to clean up some events before i report on them in dashboard.  I am pulling specific security events from windows and each event should return a username and a domain.  I am getting those results, but with each, it is also returning a second data item "-".  That is throwing things off/making it look ugly and i havent had much luck ripping it out.  Hoping someone can assist and possibly explain what the solution is doing?  I tried to do an eval replace for the field where "-" is replaced with "" but then none of my events showed up so clearly that was wrong.  A sample event looks like this to help clarify what i am getting:

 

SplunkHelpEventExample.png

 

I basically need to drop the first line from both the "Account" and also "Account_Domain" so that i would only get service. and PF as values.

 

As always, help is greatly appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:13 AM 
| eval Account_Domain=mvindex(Account_Domain,1), Account_Name=mvindex(Account_Name,1)
————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:13 AM 
| eval Account_Domain=mvindex(Account_Domain,1), Account_Name=mvindex(Account_Name,1)
————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

ghostdog920
Path Finder
‎08-07-2020 07:15 AM

So the mvindex basically says for that field, choose in this case, the 2nd value for the field as the only value for that field?

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:17 AM

yes, considering second value.

Account_Name and Account_Domain fields are multi value fields  and fields index start from 0 means 1st value. in our case we needed to consider second value so it would be index 1. hope its clear.

————————————
If this helps, give a like below.
Tags (1)
Reply
Solved! Jump to solution

ghostdog920
Path Finder
‎08-07-2020 07:25 AM

It is!  Thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...