Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to delete everything before and including string, using regex?

Bleepie
Communicator
‎08-11-2021 04:52 AM

Dear Community, I have the following search query:

 

index="myIndex" 
host="myHost" 
source="mySource.log" 
2021081105302743 
"started with profile"

 

The above gives me the following result:

 

Progam has run, 2021081105302743 started with profile TEST_PROFILE_01

 

I would like to remove everything before TEST_PROFILE_01 , giving me just the profile. Beforehand I do not know what profile is used. Therefore I guess what I want is:

  • Remove everything before "profile"
  • Also remove "profile"

Then, I want to display the profile in a "Single Value".

 

I have used the below in a table before, but now that I am using Single Value, I don't know which field to use. Also if I use a string instead of the # below in the table, it won't work.

| eval _raw = replace(_raw,"^[^#]*#", "")

 

I have 2 questions:

  1. When using a Single Value Panel, what field do I use in the above search at the position _raw (what to replace it with)? When I search for the data as shown in the query located at the top, the data is shown in the "Event" field. Is this the field I should use?
  2. At the position of the # I would like to use "profile", but I don't know how to edit the regex accordingly.

I could use some help on this matter. Thanks in advance.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Bleepie
Communicator
‎08-12-2021 02:47 AM

Hi Soutame, thanks for your reply. 

I got it working thanks to one of my colleagues. We applied the following:

| rex field=_raw "profile\s(?<whatever>[^\s\r]+)"
| stats count by whatever | fields - count

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-11-2021 05:14 AM

Hi

Is it enough that you just get profile name from _raw instead of alter _raw? If this is ok, then you can use the next rex

 

....
| rex "started with profile (?<profile>[^\n]+)"

 

And if you also want replace raw then you can add this to next line

 

...
| eval _raw = profile

r. Ismo

 

0 Karma
Reply
Solved! Jump to solution

Bleepie
Communicator
‎08-11-2021 05:23 AM

Problem is, I am not sure if I am using _raw here or not (In a Single Value Panel). When applying the above in just a search (regardless of a panel) I still get the full search results, where I am just expecting the name of the profile (I have marked some information in red that is not supposed to be shared):

splunkie.png

In the regex you use <profile> as I field I think? I am not too sure. But even when replacing <profile>  with <event> it still shows everything.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2021 02:44 AM

If you want to switch _raw also on displayed event then you must do it on props.conf. But I think that still you can see it if you select "Event Actions" -> Show Source. The only way how you can really get rid of it is remove it before you indexing it.

r. Ismo

0 Karma
Reply
Solved! Jump to solution
Solution

Bleepie
Communicator
‎08-12-2021 02:47 AM

Hi Soutame, thanks for your reply. 

I got it working thanks to one of my colleagues. We applied the following:

| rex field=_raw "profile\s(?<whatever>[^\s\r]+)"
| stats count by whatever | fields - count

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...