Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get rid of extra space from the output of a splunk query

maramk
Explorer
‎10-04-2021 06:30 PM

Hi Guys,

     I have a splunk command which returns a filename as the output. But i found that there is an extra space before and after the filename.

query i am running here is,

filetest | rex "sent to:  https://someurl/(?<file>.*)" | table file

 

Output displayed as:

...............................

..............................

.............................

..............................

file.txt

.............................

...........................

............................

 

how can i get rid of the extra space before and after the file name?

 

Thanks.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

maramk
Explorer
‎10-05-2021 03:52 PM

@danielcj and @Azeemering ,

 

adding "where isnotnull(json)" at the end of the query fixed the issue.

 

Thanks.

0 Karma
Reply

danielcj
Communicator
‎10-05-2021 01:41 PM

Hello,

 

The extra spaces of the file name are blank spaces? If so, you could use the trim command to remove these spaces like the following:

| rex "sent to:  https://someurl/(?<file>.*)" 
| eval file = trim(file)
| table file

 

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:35 PM

hi @danielcj ,

    Thanks for the response. The above command you suggested doesn't remove extra lines. Its returning the same result before and after.

  I am running the query to match a file name from the splunk logs and extracting it to display. But there are empty lines before and after the file name as below.

output:

............................

...........................

..........................

file.txt

.........................

.....................

..................

 

can you suggest me anything better. Appreciate your response.

 

Thanks.

Thanks.

0 Karma
Reply

Azeemering
Builder
‎10-05-2021 01:25 PM

Can you try

| rex field=file mode=sed "s/(^\s+)|(\s+$)//g"

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:38 PM

Hi @Azeemering ,

 

   I tried it as you suggested well. Check the command i run below for my query. Please suggest me if i can make it better to get the file name without empty lines before and after.

 

filename | rex "uploaded to: s3:someurl/(?<json>.*)" | rex field=json mode=sed "s/(^\s+)|(\s+$)//g" | table json

 

output still showing as,

................................

..............................

.............................

file.txt

..............................

..............................

............................

 

I have to get rid of those extra lines and display just the file name. I appreciate your help

 

Thanks.

 

Thanks. 

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...