Splunk Search

Help removing strings after a certain string with Rex

harshparikhxlrd
Path Finder

I'm trying to remove characters after a certain string in my search string. I am still getting the strings after "3" appearing after. I only want a 3 to be displayed.

I only want the 3 to show up from "number of supervisor reminder memos sent:" and I want everything after the 3 to remove.

0 Karma
1 Solution

woodcock
Esteemed Legend

If you would like to get 3 characters, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>.{3}?)

If you would like to get all characters up to the first character 3, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>[^3]+?)

View solution in original post

woodcock
Esteemed Legend

If you would like to get 3 characters, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>.{3}?)

If you would like to get all characters up to the first character 3, use this:

... | rex "Number of supervisor reminder memos sent:\s*(?<ex>[^3]+?)

nplamondon
SplunkTrust
SplunkTrust

It looks like your post got truncated; I don't see the complete event or your results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...