Solved: Remove spaces in result of format function

BernardEAI · ‎12-14-2020

I would like to make use of the format function to modify the results of a sub-search. I'm getting spaces in the output that are causing problems with my search.

I'm using CASE in the result to make the search case sensitive. My format function is:

| format "" "CASE(" "" ")" "OR name=" ""

The output of my subsearch is:

CASE( "User 1" ) OR name= CASE( "User 2" ) OR name= CASE( "User 3" )

The extra spaces around the search term prevents the CASE function from working. Is there any way to remove these spaces?

nickhills · ‎12-15-2020

This is a limitation of the the "format" command, I am not aware of anyway to prevent it adding spaces between the column/row separators/boundaries.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎12-15-2020

This is a limitation of the the "format" command, I am not aware of anyway to prevent it adding spaces between the column/row separators/boundaries.

If my comment helps, please give it a thumbs up!

Remove spaces in result of format function

subsearch

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?