Hi,
I need to remove square brackets and content within it from a field in a search.
eg: 
Input: My name is John [Employee] 
Output: My name is John
I tried with the following expression:
rex mode=sed field="name" "s/\[[^]]*//"
It returns output as: My name is John ]
I don't want the closing square bracket.
How do I modify the above pattern so that I get the desired output?
Thanks
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Please update this description with more detail information you described in a part of answers so that readers can understand your question clearer.
 
					
				
		
The safest option would be this
rex mode=sed field="name" "s/\[[^\]]+\]//"
 
					
				
		
Try this
| rex mode=sed field=name "s/(\[.*\])//g"
Thank you so much all of you for quickly looking into this problem. But still it does not work :
@richgalloway:
rex mode=sed field=name "s/\[[\w\s\]]*//"
output: No result found
@somesoni2:
rex mode=sed field="name" "s/\[[^\]]+\]//"
output: No result found
Sundareshr:
rex mode=sed field=name "s/(\[.*\])//g"
output: No result found
Here is the precise input string:
Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]
(with just Customer name replaced with XYZ)
In fact, I tested all the above regular expression using online website: https://regex101.com/ and found all above expressions are valid and return desired results.
But in the context of Splunk search, it fails for me. Any idea?
I am using Splunk 6.3 .
Here is the complete search [productFamily is the field in consideration] :
[|inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) |rex mode=sed field="productFamily" "s/[[\w\s]]*//" ]  |table productFamily
Thanks
 
					
				
		
Let's gets the regex part first. Try this runanywhere sample search and let me know if the output is what you wanted.
| gentimes start=-1 | eval name=" Cisco 1800 Series Integrated Services Routers [XYZ ARIZONA]" | table name | eval orig_name=name| rex mode=sed field="name" "s/\[[^\]]+\]//"
Try this as well (your query)
 |inputlookup kvstore_lookup_prodfamily | eval KeyID = _key|where KeyID ="XYZ"|rename prodfamily.name as prodfamilyName |rename prodfamily.value as prodfamilyValue | eval reading=mvzip(prodfamilyName, prodfamilyValue)|fields reading | mvexpand reading | makemv reading delim="," |eval productFamily=mvindex(reading, 0) | rex mode=sed field="productFamily" "s/\[[^\]]+\]//"  |table productFamily
The first runanywhere  sample search works fine and even the second one.But when run in the context of my query which has subsearch, it does not work.I am not sure on the root cause though.Fortunately, with the below query , I am able to get desired result: 
|makemv productFamily delim=" ["|eval productFamily=mvindex(productFamily, 0)
I have confirmed the regular expression provided by you and other boarders is correct using the runanywhere sample. Thanks again for your help.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Your regex matches everything except the closing square bracket so that's why the closing square bracket remains. Try this expression:
rex mode=sed field=name "s/\[[\w\]]*//"
Thanks for your quick reply.
Sorry I did not mention that content in the bracket contains space character.
Using the sed expression that you provided , here is the input and output :
input : My name is John [Employee Name]
output : My name is John Name]
I need the output as: My name is John
Thanks
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Insert a space in the regex.
rex mode=sed field=name "s/\[[\w\s\]]*//"
