Currently i am not familiar with REx and replace commands in splunk. Can someone help me here
i want to replace to blank anything after fullstop
for ex :
Username
A1B1.;#12345
;#12345 this character needs to be removed.
Like this:
| rex field=Username mode=sed "s/\..*$//"
Thanks Sir....it worked 🙂
I have a similar issue, in the Message field from a specific event code from the WinEventLogs it says
"A memeber was added to a security-enabled global group."
Subject:
Security ID:
I want everything after the period "group." gone. I tried the above rex however nothing changed.
(?s)
try this option.
I sorry I am very new to splunk where should I put that option in the search?
| makeresults
| eval _raw="\"A memeber was added to a security-enabled global group.\"
Subject:
Security ID:"
| rex mode=sed "s/(?s)\..*$/./"
cf. regex101
| makeresults
| eval _raw="\"A memeber was added to a security-enabled global group.\"
Subject:
Security ID:"
| rex "\"(?<_raw>.+)\""
I will do it like this.
i have got another requirement where
for ex :
Username
Lynn Chriss H;#12345
need to remove the values from full stop [;#12345] was tryin to use the above rex by interchanging some thing like this. It doesnt work ...
| rex field="Username" mode=sed "s/[A-Z]*$//"
?
Request your help on this
Oh, I see, my original answer also removed the .
but you need to keep that, just do this:
| rex field=Username mode=sed "s/\..*$/./"