Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I make a regex expression to remove "=20" and more?

dsmeerkat
Explorer
‎10-15-2018 10:12 AM

So here are the results from my "Scanned" field:

20Certificates.pdf

20from=20GLA-PTX164760.pdf

20from=20a=20Xerox.pdf

20from=20a=20Xerox=20Multifunction=20Device.pdf
20from=20a=20Xerox=20Multifunction=20Printer.pdf

20from=20the=20DEU=20Xerox=20multifunction=20device=20at=20Work=20Area=201218.pdf

I need a regex/extraction that can just give me the file name hidden in the text strings, like so...

Certificates.pdf

GLA-PTX164760.pdf

Xerox.pdf

Xerox Multifunction Device.pdf

Xerox Multifunction Printer.pdf
Xerox multifunction device at Work Area 201218.pdf

Tags (2)
0 Karma
Reply

nrduren1115
Explorer
‎10-15-2018 10:15 AM

The replace command should work:

| eval Scanned=replace(Scanned,"^20|=20"," ")
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...