Splunk Search

How to get rid of extra space from the output of a splunk query

maramk
Explorer

Hi Guys,

     I have a splunk command which returns a filename as the output. But i found that there is an extra space before and after the filename.

query i am running here is,

filetest | rex "sent to:  https://someurl/(?<file>.*)" | table file

 

Output displayed as:

...............................

..............................

.............................

..............................

file.txt

.............................

...........................

............................

 

how can i get rid of the extra space before and after the file name?

 

Thanks.

 

Labels (1)
Tags (1)
0 Karma

maramk
Explorer

@danielcj and @Azeemering ,

 

adding "where isnotnull(json)" at the end of the query fixed the issue.

 

Thanks.

0 Karma

danielcj
Communicator

Hello,

 

The extra spaces of the file name are blank spaces? If so, you could use the trim command to remove these spaces like the following:

| rex "sent to:  https://someurl/(?<file>.*)" 
| eval file = trim(file)
| table file

 

0 Karma

maramk
Explorer

hi @danielcj ,

    Thanks for the response. The above command you suggested doesn't remove extra lines. Its returning the same result before and after.

  I am running the query to match a file name from the splunk logs and extracting it to display. But there are empty lines before and after the file name as below.

output:

............................

...........................

..........................

file.txt

.........................

.....................

..................

 

can you suggest me anything better. Appreciate your response.

 

Thanks.

Thanks.

0 Karma

Azeemering
Builder

Can you try

| rex field=file mode=sed "s/(^\s+)|(\s+$)//g"

0 Karma

maramk
Explorer

Hi @Azeemering ,

 

   I tried it as you suggested well. Check the command i run below for my query. Please suggest me if i can make it better to get the file name without empty lines before and after.

 

filename | rex "uploaded to: s3:someurl/(?<json>.*)" | rex field=json mode=sed "s/(^\s+)|(\s+$)//g" | table json

 

output still showing as,

................................

..............................

.............................

file.txt

..............................

..............................

............................

 

I have to get rid of those extra lines and display just the file name. I appreciate your help

 

Thanks.

 

Thanks. 

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...