Splunk Search

Modify field to remove extra characters

Path Finder

I have a search that returns a user field i.e. user="username". This gets reported by one system as user="u'username'" this is generating false positives for unknown users.

I want to modify the user field, if necessary to remove the u' at the start and the ' at the end. I have a way but it seems cumbersome

| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user)

I'd be interested if there's a better way since I have another mis-report where the username has a : appended to it. using a similar eval but with an rtrim I could remove it but the search would be getting very heavy then.

| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user) | eval user=if(like(user,"%:"), rtrim(user,":") ,user)

I feel there ought to be a regular expression way of doing this but I can't work it out.

Thanks

Tags (4)
0 Karma
1 Solution

Esteemed Legend

Splunk Employee
Splunk Employee

Here's a solution using the aforementioned replace command:

| makeresults | eval user="u'username" | replace u'* with *

(Everything prior to "| replace" is used to make a single sample event on which to test the replace. Omit it in your actual search.)

0 Karma

Influencer

Check out the replace command

Esteemed Legend

Path Finder

Thanks both it took me a while to work it out that it was eval replace command not the other replace but with the right regex it seems to work

| eval user=replace(user,"(^u')?(.+)[':]$","\2")
0 Karma