Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a regex that removes everything afte...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gbwilson
Path Finder
06-26-2018
01:28 PM
I have a regex that should remove everything after a second underscore. When I try to search with the regex, it doesn't work. Any ideas? I must be doing something wrong, just can't figure out what.
Data looks like this:
AB200_Cdef_233
Abcde_FG400_34
And should end up looking like this:
AB200_Cdef
Abcde_FG400
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
06-27-2018
12:30 AM
Your regex is fine, you're just missing the mandatory 3rd argument of the replace(X,Y,Z) function.
It should work fine if you run it like this:
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$","")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
06-27-2018
12:30 AM
Your regex is fine, you're just missing the mandatory 3rd argument of the replace(X,Y,Z) function.
It should work fine if you run it like this:
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$","")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
06-26-2018
06:07 PM
Maybe -
index=cms_vm
| rex field=DatastoreName "(?<DatastoreName>.*_.*)_.*"
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rteja9
Path Finder
06-26-2018
03:41 PM
Try below query,
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^]+[^_]+(.*)","")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
Get Updates on the Splunk Community!
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0
mTLS wasn’t just a checkbox ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
