Splunk Search

How to use rex and sed to remove field prefix?

dmcintosh1972
Explorer

I would like to remove a prefix from a field where certain criteria are met but leave the prefix on on fields where criteria isnt met.

e.g

uniqueIdentifier = admjdoe
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = jdoe

uniqueIdentifier = administrator
| rex mode=sed field=uniqueIdentifier "s/^adm//g" 
output = inistrator

Obviously I don't want to remove the adm from administrator, and as the field includes names it should also correctly handle names like admaneil (adm aniel) etc

I need to have some kind of if uniqueIdentifier = administrator then don't apply the sed command.

Thanks

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

Hi @dmcintosh1972

Try something like this

<yourBasesearch>
| rex mode=sed field=uniqueIdentifier "s/^adm(?!inistrator)//g"
0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...