Solved: How to change each instance of a field search resu...

atebysandwich · ‎01-26-2023

I'm doing a search for server names and will eventually extract to to a csv. However, each result comes out as one of the following

servername.domain: servername.domain
servername: servername.domain
servername: servername

How can I change the results in that particular field to be just servername? I feel like this is where regular expressions may come in to play.

atebysandwich · ‎01-27-2023

I was able to figure out the issue without regex - I was looking at the wrong field. Thank you for the help,

View solution in original post

ITWhisperer · ‎01-26-2023

Try something like this

| rex field=particular "\w+:(?<servername>\w+)\.)"

atebysandwich · ‎01-26-2023

Unfortunately that didn't work. The field results still come out the same. But I noticed they come out in a few different ways:

servername.domain: servername.domain
servername: servername.domain
servername: servername

ITWhisperer · ‎01-26-2023

Please share some sample events in a code block </> since normal pasting can alter the (white-space) formatting.

atebysandwich · ‎01-27-2023

I was able to figure out the issue without regex - I was looking at the wrong field. Thank you for the help,

How to change each instance of a field search result?

fields

regex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?