Splunk Search

How to use rex and sed to remove field prefix?

dmcintosh1972
Explorer

I would like to remove a prefix from a field where certain criteria are met but leave the prefix on on fields where criteria isnt met.

e.g

uniqueIdentifier = admjdoe
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = jdoe

uniqueIdentifier = administrator
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = inistrator

Obviously I don't want to remove the adm from administrator, and as the field includes names it should also correctly handle names like admaneil (adm aniel) etc

I need to have some kind of if uniqueIdentifier = administrator then don't apply the sed command.

Thanks

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...