Splunk Search

How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

Explorer

Hi,

I need to remove square brackets and content within it from a field in a search.

eg:
Input: My name is John [Employee]
Output: My name is John

I tried with the following expression:

rex mode=sed field="name" "s/\[[^]]*//"

It returns output as: My name is John ]

I don't want the closing square bracket.

How do I modify the above pattern so that I get the desired output?

Thanks

0 Karma
1 Solution

Legend

Try this

| rex mode=sed field=name "s/(\[.*\])//g"

View solution in original post

Splunk Employee
Splunk Employee

Please update this description with more detail information you described in a part of answers so that readers can understand your question clearer.

0 Karma

SplunkTrust
SplunkTrust

The safest option would be this

rex mode=sed field="name" "s/\[[^\]]+\]//"
0 Karma

Legend

Try this

| rex mode=sed field=name "s/(\[.*\])//g"

View solution in original post

Explorer

Thank you so much all of you for quickly looking into this problem. But still it does not work :

@richgalloway:

rex mode=sed field=name "s/\[[\w\s\]]*//"

output: No result found

@somesoni2:

rex mode=sed field="name" "s/\[[^\]]+\]//"

output: No result found

Sundareshr:

rex mode=sed field=name "s/(\[.*\])//g"

output: No result found

Here is the precise input string:

Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]

(with just Customer name replaced with XYZ)

In fact, I tested all the above regular expression using online website: https://regex101.com/ and found all above expressions are valid and return desired results.

But in the context of Splunk search, it fails for me. Any idea?

I am using Splunk 6.3 .

Here is the complete search [productFamily is the field in consideration] :

[|inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) |rex mode=sed field="productFamily" "s/[[\w\s]]*//" ]  |table productFamily

Thanks

0 Karma

SplunkTrust
SplunkTrust

Let's gets the regex part first. Try this runanywhere sample search and let me know if the output is what you wanted.

| gentimes start=-1 | eval name=" Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]" | table name | eval orig_name=name| rex mode=sed field="name" "s/\[[^\]]+\]//"

Try this as well (your query)

 |inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) | rex mode=sed field="productFamily" "s/\[[^\]]+\]//"  |table productFamily
0 Karma

Explorer

The first runanywhere sample search works fine and even the second one.But when run in the context of my query which has subsearch, it does not work.I am not sure on the root cause though.Fortunately, with the below query , I am able to get desired result:
|makemv productFamily delim=" ["|eval productFamily=mvindex(productFamily, 0)

I have confirmed the regular expression provided by you and other boarders is correct using the runanywhere sample. Thanks again for your help.

0 Karma

SplunkTrust
SplunkTrust

Your regex matches everything except the closing square bracket so that's why the closing square bracket remains. Try this expression:

rex mode=sed field=name "s/\[[\w\]]*//"
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Thanks for your quick reply.

Sorry I did not mention that content in the bracket contains space character.

Using the sed expression that you provided , here is the input and output :

input : My name is John [Employee Name]

output : My name is John Name]

I need the output as: My name is John

Thanks

0 Karma

SplunkTrust
SplunkTrust

Insert a space in the regex.

rex mode=sed field=name "s/\[[\w\s\]]*//"
---
If this reply helps you, an upvote would be appreciated.
0 Karma