Splunk Search

Is there an easy way to remove a section of string from a field?

SMM10
Explorer

I want to get an alert and run it but there are items I wanted to remove.

 

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

 

So far I am able to get my search but there is a line in there I want to remove, and then display my result. For example if the following was a line in qualifiedSearch.

 

| rename test1 as test, rename operation1 as operation

 

Is there an easy way I can use rex or something else to find this string in qualifiedSearch and remove it?

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| eval search=replace(search,"\| rename test1 as test, rename operation1 as operation", "")
| map search="| makeresults | map search="$search$

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| eval search=replace(search,"\| rename test1 as test, rename operation1 as operation", "")
| map search="| makeresults | map search="$search$
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...