Solved: Re: How to remove data after the first period? - Splunk Community

Splunk Search

Hi Splunk Community,

I am trying to remove the data in a field after the first period. my field looks like this:

24611_abce.XXX.AAA.com

24612_r1q2e3.XXX.AAA.com

null

null

4iop45_q7w8e9.XXX.AAA.com

hki90lhf3_m1n2b3.QQQQ.AAA.com

I would like to remove everything after the first period for every row but the pattterns at the end do not match after the first period. It should look like this:

24611_abce

24612_r1q2e3

null

null

4iop45_q7w8e9

hki90lhf3_m1n2b3

thanks in advance!

1 Solution

Solution

In your environment, you should try:

<your search>
| rex field=<fieldname> "^(?<custom_fieldname>[^\.]+)"

try this run anywhere search:

| makeresults 
| eval data="24611_abce.XXX.AAA.com,24612_r1q2e3.XXX.AAA.com,null,null,4iop45_q7w8e9.XXX.AAA.com,hki90lhf3_m1n2b3.QQQQ.AAA.com" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "^(?<data>[^\.]+)"

let me know if this helps!

View solution in original post

Solution

In your environment, you should try:

<your search>
| rex field=<fieldname> "^(?<custom_fieldname>[^\.]+)"

try this run anywhere search:

| makeresults 
| eval data="24611_abce.XXX.AAA.com,24612_r1q2e3.XXX.AAA.com,null,null,4iop45_q7w8e9.XXX.AAA.com,hki90lhf3_m1n2b3.QQQQ.AAA.com" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "^(?<data>[^\.]+)"

let me know if this helps!

This worked like a charm. Thank you very much

Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...