Solved: Help removing strings after a certain string with ...

harshparikhxlrd · ‎10-31-2019

I'm trying to remove characters after a certain string in my search string. I am still getting the strings after "3" appearing after. I only want a 3 to be displayed.

I only want the 3 to show up from "number of supervisor reminder memos sent:" and I want everything after the 3 to remove.

woodcock · ‎10-31-2019

If you would like to get 3 characters, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>.{3}?)

If you would like to get all characters up to the first character 3, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>[^3]+?)

View solution in original post

woodcock · ‎10-31-2019

If you would like to get 3 characters, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>.{3}?)

If you would like to get all characters up to the first character 3, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>[^3]+?)

nplamondon · ‎10-31-2019

It looks like your post got truncated; I don't see the complete event or your results.

Help removing strings after a certain string with Rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation