Solved: How do you remove part of a field value?

zikpefu · ‎07-18-2018

I am trying to remove the +'s in between words for my table (i.e. stainless+steel to be just stainless steel) and my field name is SearchTerm. I tried the eval replace command method but it keeps saying Regex quantifier does not follow repeatable item; I do not know what to do. Any help would be appreciated.

My eval command:

| eval SearchTerm=replace(SearchTerm,"+"," ")

Edit: Spelling

woodcock · ‎07-18-2018

You need to escape like this (because + is a special command character):

 | eval SearchTerm=replace(SearchTerm,"\+"," ")

I would do it like this:

| rex field=SearchTerm mode=sed "s/\+/ /g"

View solution in original post

woodcock · ‎07-18-2018

You need to escape like this (because + is a special command character):

 | eval SearchTerm=replace(SearchTerm,"\+"," ")

I would do it like this:

| rex field=SearchTerm mode=sed "s/\+/ /g"

renjith_nair · ‎07-18-2018

Hi @zikpefu

escape '+'

eval SearchTerm=replace(SearchTerm,"\+"," ")

---
What goes around comes around. If it helps, hit it with Karma 🙂

How do you remove part of a field value?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How do you remove part of a field value?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!