Solved: Is there an easy way to remove a section of string...

SMM10 · ‎05-16-2022

I want to get an alert and run it but there are items I wanted to remove.

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

So far I am able to get my search but there is a line in there I want to remove, and then display my result. For example if the following was a line in qualifiedSearch.

| rename test1 as test, rename operation1 as operation

Is there an easy way I can use rex or something else to find this string in qualifiedSearch and remove it?

ITWhisperer · ‎05-16-2022

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| eval search=replace(search,"\| rename test1 as test, rename operation1 as operation", "")
| map search="| makeresults | map search="$search$

View solution in original post

ITWhisperer · ‎05-16-2022

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| eval search=replace(search,"\| rename test1 as test, rename operation1 as operation", "")
| map search="| makeresults | map search="$search$

Is there an easy way to remove a section of string from a field?

field extraction

rex

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

Is there an easy way to remove a section of string from a field?

field extraction

rex

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI