Solved: Modify field to remove extra characters

terryjohn · ‎06-12-2015

I have a search that returns a user field i.e. user="username". This gets reported by one system as user="u'username'" this is generating false positives for unknown users.

I want to modify the user field, if necessary to remove the u' at the start and the ' at the end. I have a way but it seems cumbersome

| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user)

I'd be interested if there's a better way since I have another mis-report where the username has a : appended to it. using a similar eval but with an rtrim I could remove it but the search would be getting very heavy then.

| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user) | eval user=if(like(user,"%:"), rtrim(user,":") ,user)

I feel there ought to be a regular expression way of doing this but I can't work it out.

Thanks

woodcock · ‎06-12-2015

You need the replace command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/replace

View solution in original post

hrottenberg_spl · ‎06-29-2016

Here's a solution using the aforementioned replace command:

| makeresults | eval user="u'username" | replace u'* with *

(Everything prior to "| replace" is used to make a single sample event on which to test the replace. Omit it in your actual search.)

masonmorales · ‎06-12-2015

Check out the replace command

woodcock · ‎06-12-2015

You need the replace command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/replace

terryjohn · ‎06-12-2015

Thanks both it took me a while to work it out that it was eval replace command not the other replace but with the right regex it seems to work

| eval user=replace(user,"(^u')?(.+)[':]$","\2")

Modify field to remove extra characters

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

New Dates, New City: Save the Date for .conf25!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud