Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to remove tags in a string?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to remove tags in a string?
Hello,
I have a string field like: View
How can I remove tag and to only display View in the search?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will help to see some sample events and the desired output.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the confusing and here is the detail:
Search: index=index1 | table eventdata
Current output:
eventdata
<Type> View </Type>
<Action> Edit </Action>
<Source> Server Name </Source>
Desired output:
eventdata
View
Edit
Server Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, I see where it causes confusing. The tags were removed from my original post. That makes both current and desired outputs the same.
The current output has smaller and greater signs at beginning and these signs with at the end.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It got eaten again. Re-edit your original question, highlight the stuff that is getting changed and then click the 101010 button to make it a code fragment that will not get modified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, actually the field name is EventData with values like: View or Edit or Delete
I try to only display the text b/w tags and (View, Edit, or Delete).
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have no idea what you mean. Use more works and try the markdown features in answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcock,
All I meant is that how I can remove tags .... in a string. For example:
View , I only need my search to return View. The field name is EventData.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said the same thing 3 times the same way and it doesn't make sense. Draw us a picture and stop using words. Show us the data before and the data after. We are not following what you mean, especially your strange use of the term tag.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rex command may be what you are looking for. The example below will extract what is between <tag> and < into a field called 'field'.
... | rex "\<[^>]+>\s*(?<field>[^\<]+)\<"
If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
