Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a part of a field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reschal
Explorer
12-15-2017
12:55 AM
Hey,
i have got a field extraction called mail. So i get different kind of mails as output.
But it appears the following problem: All the mail adresses have a "." at the end and i want to remove the ".".
For example: "xy.z@yahoo.com." shall be "xy.z@yahoo.com"
I tried to solve the problem by extracting the expression without the "." but it won't work.
|rex field=mail "(?<mail>[\s]+)-."
Thanks for your help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
12-15-2017
01:17 AM
Try this
| rex field=mail "(?P<mail>[^\s]+)\."
Let me know if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yunagi
Communicator
12-15-2017
01:22 AM
If you really want to change the field with a Splunk search, then try the following:
| eval mail=substr(mail,0,len(mail)-1)
However, I think the better approach is to improve the actual field extraction. Can you provide the field extraction under Settings/Fields/Field extractions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
12-15-2017
01:17 AM
Try this
| rex field=mail "(?P<mail>[^\s]+)\."
Let me know if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reschal
Explorer
12-15-2017
01:52 AM
It works. Thanks very much 🙂
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
