Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a regex that removes everything afte...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gbwilson
Path Finder
06-26-2018
01:28 PM
I have a regex that should remove everything after a second underscore. When I try to search with the regex, it doesn't work. Any ideas? I must be doing something wrong, just can't figure out what.
Data looks like this:
AB200_Cdef_233
Abcde_FG400_34
And should end up looking like this:
AB200_Cdef
Abcde_FG400
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
06-27-2018
12:30 AM
Your regex is fine, you're just missing the mandatory 3rd argument of the replace(X,Y,Z) function.
It should work fine if you run it like this:
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$","")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
06-27-2018
12:30 AM
Your regex is fine, you're just missing the mandatory 3rd argument of the replace(X,Y,Z) function.
It should work fine if you run it like this:
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$","")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
06-26-2018
06:07 PM
Maybe -
index=cms_vm
| rex field=DatastoreName "(?<DatastoreName>.*_.*)_.*"
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rteja9
Path Finder
06-26-2018
03:41 PM
Try below query,
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^]+[^_]+(.*)","")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
