Solved: Help with regex - How to exclude multiple parenth...

jalo23 · ‎08-31-2022

Is there a more elegant way to do this? New to using rex & I can’t seem to strip out the multiple parentheses and slashes from a field without using replace. (I don't have control over the data, I know it is better to strip it out first.) These do work but in some cases there are more parentheses and slashes - is there a way to strip all of them out at once, or do I need to make repeating phrases?

| rex mode=sed field=Field_A "s/\(\)/ /g"

| rex mode=sed field=Field_B "s/\(\)/ /g"

| rex mode=sed field=Field_B "s/\// /g"

richgalloway · ‎08-31-2022

You can combine the parentheses and slash into a character class to strip them all out at once. You will, however, need a separate rex command for each field being processed.

| rex mode=sed field=Field_A "s;[\(\)/];;g"

| rex mode=sed field=Field_B "s;[\(\)/];;g"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-31-2022

You can combine the parentheses and slash into a character class to strip them all out at once. You will, however, need a separate rex command for each field being processed.

| rex mode=sed field=Field_A "s;[\(\)/];;g"

| rex mode=sed field=Field_B "s;[\(\)/];;g"

---
If this reply helps you, Karma would be appreciated.

jalo23 · ‎08-31-2022

That worked great, thank you!

Help with regex - How to exclude multiple parentheses and slashes from a field?

eval

regex

rex

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk