Solved: Re: Remove a section of string from a field

SMM10 · ‎05-16-2022

I want to get an alert and run it but there are items I wanted to remove.

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

So far I am able to get my search but there is a line in there I want to remove, and then display my result. For example if the following was a line in qualifiedSearch.

| rename test1 as test, rename operation1 as operation

Is there an easy way I can use rex or something else to find this string in qualifiedSearch and remove it?

ITWhisperer · ‎05-16-2022

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| eval search=replace(search,"\| rename test1 as test, rename operation1 as operation", "")
| map search="| makeresults | map search="$search$

View solution in original post

ITWhisperer · ‎05-16-2022

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| eval search=replace(search,"\| rename test1 as test, rename operation1 as operation", "")
| map search="| makeresults | map search="$search$

Is there an easy way to remove a section of string from a field?

field extraction

other

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!