Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Remove string from field using REX

Splunkie
Explorer
‎07-23-2025 02:00 AM

I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example

Username_Field

Joe-Smith, Adams sophos_event_input

Jane-Doe, Smith sophos_event_input

I would like to change the Username field to only contain the users name, Example

Username_Field

Joe-Smith, Adams 

Jane-Doe, Smith 

Basically I want to get rid of the sophos_event_input suffix.

How will I go about this? 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 02:36 AM

Hi @Splunkie 

Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?

You could do the following at search time:

| rex field=Username_Field mode=sed "s/ sophos_event_input$//"

(See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex)

Alternatively you could use a REPLACE function:

| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")

You could also make this an automatic calculated field so that you dont need to include it in your SPL:

livehybrid_0-1753263245091.png

 

If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:

# props.conf #
[yourSourcetype]
SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 02:36 AM

Hi @Splunkie 

Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?

You could do the following at search time:

| rex field=Username_Field mode=sed "s/ sophos_event_input$//"

(See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex)

Alternatively you could use a REPLACE function:

| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")

You could also make this an automatic calculated field so that you dont need to include it in your SPL:

livehybrid_0-1753263245091.png

 

If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:

# props.conf #
[yourSourcetype]
SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

Splunkie
Explorer
‎07-23-2025 03:43 AM

Thanks livehybrid, 

The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that.

Cheers.

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2025 02:08 AM

Hi @Splunkie ,

do you want to do this at index time, recording the modified events or at search time (only in visualization)?

if at search time, you can use a regex in your searches like the following:

| rex mode=sed "s/sophos_event_input/ /g"

if at index time, you should put in the props.conf:

[<your_sourcetype>]
SEDCMD = "s/sophos_event_input/ /g"

This conf file must be located in the first full Splunk instance where data pass through, in other words in the first Heavy Forwarder (if present) or otherwise on the Indexers.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...