Splunk Search

My regex is not working in Splunk although it works at regex101.com

ugruner
Explorer

Hello,

I have a field "group" these field contains some values with a prefix: "AD-". I need to get rid of the prefix.

E.g
AD-test = test
ADtest = ADtest
test = test
AD-123 = 123
123 = 123

I am trying to do this with regex. My regex works fine outside of Splunk e.g at regex101.com or in a powershell script, but I am not able to get it work in splunk.

This is my regex: [^AD-].\s

But in splunk | rex field="group" (?[^AD-].
\s) results in: Missing a search command before '^'. ..... Error in 'SearchParser': errorcontext = [^AD-].*\s)}'.

Udo

Tags (2)
0 Karma
1 Solution

elliotproebstel
Champion

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

View solution in original post

rphillips_splk
Splunk Employee
Splunk Employee

to clarify , you have 1 field called group and the value of the field needs AD- stripped off ?

ie:
group = AD-test

should be:

group = test

0 Karma

elliotproebstel
Champion

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

rphillips_splk
Splunk Employee
Splunk Employee

I would agree with @elliotproebstel !

0 Karma

ugruner
Explorer

Thanks, I am always thinking too complicated.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...