Solved: How do I extract a new field from a table?

vinoth12 · ‎11-26-2018

Hi, I extracted a field and am viewing it in a table. But some data has a comma (,) in between. I want to create a new column without the comma ** and whatever comes **after the comma should not be there in that field.

please help me to come up with a solution!

woodcock · ‎11-26-2018

Add this to your existing search:

... | rex field=YourExistingFieldName "^(?<YourNewFieldName>[^#]+)"

View solution in original post

woodcock · ‎11-26-2018

Add this to your existing search:

... | rex field=YourExistingFieldName "^(?<YourNewFieldName>[^#]+)"

vinoth12 · ‎11-26-2018

Hi woodcock,
I want it should get split only alphabets followed by a #, if a space is followed by a #. then i don't want to. can you please help me to do it

woodcock · ‎11-26-2018

Like this:
... | rex field=YourExistingFieldName "^(?[^#\s]+)"

How do I extract a new field from a table?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How do I extract a new field from a table?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem