Splunk Search

How to hide some values in field?

chakuttha
Explorer

When i have query data  result from search in field worker id it show >> domain\worker_id

search result Example  ABC\123456  it have domain name front of worker id.

If i would like to deleted only domain  ABC\  in field and result  show only number of worker id  .

Example    ABC\123456   >>> 123456

Please recommend  how to query in search.

Best Regards,

CR

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@chakuttha Those instructions from @richgalloway should have been

 

| rex mode=sed field=worker_id "s/ABC\\\\//g"

OR this

| replace "ABC\\*" with "*" in worker_id

There is a third option

| eval worker_id=replace(worker_id, "ABC\\\\", "")

Note in the middle one, the '\' character needs to be escaped ONCE for the SPL parser line, whereas in the rex and eval statements, the \ needs to be double escaped, once for the SPL parser line and secondly for the regex parser.

 

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There likely are several ways to do that.  Here are a couple

| replace "ABC\" with "" in worker_id
| rex mode=sed field=worker_id "s/ABC\//g"
---
If this reply helps you, Karma would be appreciated.
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@chakuttha Those instructions from @richgalloway should have been

 

| rex mode=sed field=worker_id "s/ABC\\\\//g"

OR this

| replace "ABC\\*" with "*" in worker_id

There is a third option

| eval worker_id=replace(worker_id, "ABC\\\\", "")

Note in the middle one, the '\' character needs to be escaped ONCE for the SPL parser line, whereas in the rex and eval statements, the \ needs to be double escaped, once for the SPL parser line and secondly for the regex parser.

 

 

chakuttha
Explorer

@bowesmana  It work. 

Thank you so much. 😄

0 Karma

chakuttha
Explorer

Hi richgalloway  

I have try to do following your recommend it not work still show domain name front of worker id.

 




0 Karma

johnhuang
Motivator

The solution posted by @richgalloway should have worked. The assumption is that "worker_id" is the actual fieldname you're trying to normalize, if not, you should change worker_id to the actual fieldname.

A more flexible way to do this esp when you have a multi-domain environment with local accounts is to extract the id with regex:

| rex field=worker_id "(?<worker_id>[^\\]*)$"

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...