Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove string from field using REX

Splunkie
Explorer
‎07-23-2025 02:00 AM

I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example

Username_Field

Joe-Smith, Adams sophos_event_input

Jane-Doe, Smith sophos_event_input

I would like to change the Username field to only contain the users name, Example

Username_Field

Joe-Smith, Adams 

Jane-Doe, Smith 

Basically I want to get rid of the sophos_event_input suffix.

How will I go about this? 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 02:36 AM

Hi @Splunkie 

Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?

You could do the following at search time:

| rex field=Username_Field mode=sed "s/ sophos_event_input$//"

(See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex)

Alternatively you could use a REPLACE function:

| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")

You could also make this an automatic calculated field so that you dont need to include it in your SPL:

livehybrid_0-1753263245091.png

 

If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:

# props.conf #
[yourSourcetype]
SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 02:36 AM

Hi @Splunkie 

Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?

You could do the following at search time:

| rex field=Username_Field mode=sed "s/ sophos_event_input$//"

(See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex)

Alternatively you could use a REPLACE function:

| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")

You could also make this an automatic calculated field so that you dont need to include it in your SPL:

livehybrid_0-1753263245091.png

 

If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:

# props.conf #
[yourSourcetype]
SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

Splunkie
Explorer
‎07-23-2025 03:43 AM

Thanks livehybrid, 

The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that.

Cheers.

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2025 02:08 AM

Hi @Splunkie ,

do you want to do this at index time, recording the modified events or at search time (only in visualization)?

if at search time, you can use a regex in your searches like the following:

| rex mode=sed "s/sophos_event_input/ /g"

if at index time, you should put in the props.conf:

[<your_sourcetype>]
SEDCMD = "s/sophos_event_input/ /g"

This conf file must be located in the first full Splunk instance where data pass through, in other words in the first Heavy Forwarder (if present) or otherwise on the Indexers.

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...