Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get rid of extra space from the output of a splunk query

maramk
Explorer
‎10-04-2021 06:30 PM

Hi Guys,

     I have a splunk command which returns a filename as the output. But i found that there is an extra space before and after the filename.

query i am running here is,

filetest | rex "sent to:  https://someurl/(?<file>.*)" | table file

 

Output displayed as:

...............................

..............................

.............................

..............................

file.txt

.............................

...........................

............................

 

how can i get rid of the extra space before and after the file name?

 

Thanks.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

maramk
Explorer
‎10-05-2021 03:52 PM

@danielcj and @Azeemering ,

 

adding "where isnotnull(json)" at the end of the query fixed the issue.

 

Thanks.

0 Karma
Reply

danielcj
Communicator
‎10-05-2021 01:41 PM

Hello,

 

The extra spaces of the file name are blank spaces? If so, you could use the trim command to remove these spaces like the following:

| rex "sent to:  https://someurl/(?<file>.*)" 
| eval file = trim(file)
| table file

 

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:35 PM

hi @danielcj ,

    Thanks for the response. The above command you suggested doesn't remove extra lines. Its returning the same result before and after.

  I am running the query to match a file name from the splunk logs and extracting it to display. But there are empty lines before and after the file name as below.

output:

............................

...........................

..........................

file.txt

.........................

.....................

..................

 

can you suggest me anything better. Appreciate your response.

 

Thanks.

Thanks.

0 Karma
Reply

Azeemering
Builder
‎10-05-2021 01:25 PM

Can you try

| rex field=file mode=sed "s/(^\s+)|(\s+$)//g"

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:38 PM

Hi @Azeemering ,

 

   I tried it as you suggested well. Check the command i run below for my query. Please suggest me if i can make it better to get the file name without empty lines before and after.

 

filename | rex "uploaded to: s3:someurl/(?<json>.*)" | rex field=json mode=sed "s/(^\s+)|(\s+$)//g" | table json

 

output still showing as,

................................

..............................

.............................

file.txt

..............................

..............................

............................

 

I have to get rid of those extra lines and display just the file name. I appreciate your help

 

Thanks.

 

Thanks. 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...