Solved: Is there a better way to edit my regular expressio...

Accak · ‎03-03-2017

Hey guys,
I have field with values like:

RQT4 - Ownership foo barr
R11: Assistance fooo barr 192392
RQR11 -RFI A lot of text and digits

I want to cut the beginning with RQR/R/RQT, "/", ":" and whitespaces

My search (working on regex101.com)

| rex field=fieldToExtract mode=sed "s/^(RQT|RQR|R|r)\d+(\s\W\s|\s\W|\W\s|\W|\s)//"  |

And still its not working for all values, f.e

RQT11 - Apply remove CMS
RQT2 - Library creation - (1)
R11 - Apply RAW
RQR3 - RDI Remove

Any ideas why?
I bet there is better way to do it. For example Cut all before first 3 word characters which are not RQR or RQT, or R\d\d.
Thanks in advance!

Accak · ‎03-03-2017

I just added "g" on the end and it's workig.

| rex field=fieldToExtractmode=sed "s/^R\w+\d+\W+//g"|

But still don't know what "g" acctualy make.

View solution in original post

Accak · ‎03-03-2017

I just added "g" on the end and it's workig.

| rex field=fieldToExtractmode=sed "s/^R\w+\d+\W+//g"|

But still don't know what "g" acctualy make.

Accak · ‎03-03-2017

Thanks Accak

Accak · ‎03-03-2017

You are welocme Accak

woodcock · ‎03-03-2017

g is for global meaning it will repeat the same command over and over until it gets to the end of the string and cannot match any more.

Accak · ‎03-03-2017

I managed to short it :

| rex field=fieldToExtract mode=sed "s/^(R|r)\w+\d+\W+//" |

But still the same values stay unchanged.

Is there a better way to edit my regular expression?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life