Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get rid of extra space from the output of a splunk query

maramk
Explorer
‎10-04-2021 06:30 PM

Hi Guys,

     I have a splunk command which returns a filename as the output. But i found that there is an extra space before and after the filename.

query i am running here is,

filetest | rex "sent to:  https://someurl/(?<file>.*)" | table file

 

Output displayed as:

...............................

..............................

.............................

..............................

file.txt

.............................

...........................

............................

 

how can i get rid of the extra space before and after the file name?

 

Thanks.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

maramk
Explorer
‎10-05-2021 03:52 PM

@danielcj and @Azeemering ,

 

adding "where isnotnull(json)" at the end of the query fixed the issue.

 

Thanks.

0 Karma
Reply

danielcj
Communicator
‎10-05-2021 01:41 PM

Hello,

 

The extra spaces of the file name are blank spaces? If so, you could use the trim command to remove these spaces like the following:

| rex "sent to:  https://someurl/(?<file>.*)" 
| eval file = trim(file)
| table file

 

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:35 PM

hi @danielcj ,

    Thanks for the response. The above command you suggested doesn't remove extra lines. Its returning the same result before and after.

  I am running the query to match a file name from the splunk logs and extracting it to display. But there are empty lines before and after the file name as below.

output:

............................

...........................

..........................

file.txt

.........................

.....................

..................

 

can you suggest me anything better. Appreciate your response.

 

Thanks.

Thanks.

0 Karma
Reply

Azeemering
Builder
‎10-05-2021 01:25 PM

Can you try

| rex field=file mode=sed "s/(^\s+)|(\s+$)//g"

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:38 PM

Hi @Azeemering ,

 

   I tried it as you suggested well. Check the command i run below for my query. Please suggest me if i can make it better to get the file name without empty lines before and after.

 

filename | rex "uploaded to: s3:someurl/(?<json>.*)" | rex field=json mode=sed "s/(^\s+)|(\s+$)//g" | table json

 

output still showing as,

................................

..............................

.............................

file.txt

..............................

..............................

............................

 

I have to get rid of those extra lines and display just the file name. I appreciate your help

 

Thanks.

 

Thanks. 

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...