Splunk Search

How do I edit my "rex mode=sed..." statement to remove square brackets and the content within them from a field?

amoldesai
Explorer

Hi,

I need to remove square brackets and content within it from a field in a search.

eg:
Input: My name is John [Employee]
Output: My name is John

I tried with the following expression:

rex mode=sed field="name" "s/\[[^]]*//"

It returns output as: My name is John ]

I don't want the closing square bracket.

How do I modify the above pattern so that I get the desired output?

Thanks

0 Karma
1 Solution

sundareshr
Legend

Try this

| rex mode=sed field=name "s/(\[.*\])//g"

View solution in original post

Masa
Splunk Employee
Splunk Employee

Please update this description with more detail information you described in a part of answers so that readers can understand your question clearer.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The safest option would be this

rex mode=sed field="name" "s/\[[^\]]+\]//"
0 Karma

sundareshr
Legend

Try this

| rex mode=sed field=name "s/(\[.*\])//g"

amoldesai
Explorer

Thank you so much all of you for quickly looking into this problem. But still it does not work :

@richgalloway:

rex mode=sed field=name "s/\[[\w\s\]]*//"

output: No result found

@somesoni2:

rex mode=sed field="name" "s/\[[^\]]+\]//"

output: No result found

Sundareshr:

rex mode=sed field=name "s/(\[.*\])//g"

output: No result found

Here is the precise input string:

Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]

(with just Customer name replaced with XYZ)

In fact, I tested all the above regular expression using online website: https://regex101.com/ and found all above expressions are valid and return desired results.

But in the context of Splunk search, it fails for me. Any idea?

I am using Splunk 6.3 .

Here is the complete search [productFamily is the field in consideration] :

[|inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) |rex mode=sed field="productFamily" "s/[[\w\s]]*//" ]  |table productFamily

Thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Let's gets the regex part first. Try this runanywhere sample search and let me know if the output is what you wanted.

| gentimes start=-1 | eval name=" Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]" | table name | eval orig_name=name| rex mode=sed field="name" "s/\[[^\]]+\]//"

Try this as well (your query)

 |inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) | rex mode=sed field="productFamily" "s/\[[^\]]+\]//"  |table productFamily
0 Karma

amoldesai
Explorer

The first runanywhere sample search works fine and even the second one.But when run in the context of my query which has subsearch, it does not work.I am not sure on the root cause though.Fortunately, with the below query , I am able to get desired result:
|makemv productFamily delim=" ["|eval productFamily=mvindex(productFamily, 0)

I have confirmed the regular expression provided by you and other boarders is correct using the runanywhere sample. Thanks again for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your regex matches everything except the closing square bracket so that's why the closing square bracket remains. Try this expression:

rex mode=sed field=name "s/\[[\w\]]*//"
---
If this reply helps you, Karma would be appreciated.
0 Karma

amoldesai
Explorer

Thanks for your quick reply.

Sorry I did not mention that content in the bracket contains space character.

Using the sed expression that you provided , here is the input and output :

input : My name is John [Employee Name]

output : My name is John Name]

I need the output as: My name is John

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Insert a space in the regex.

rex mode=sed field=name "s/\[[\w\s\]]*//"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...