Splunk Search

Remove string from field using REX

Splunkie
Explorer

I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example

Username_Field

Joe-Smith, Adams sophos_event_input

Jane-Doe, Smith sophos_event_input

I would like to change the Username field to only contain the users name, Example

Username_Field

Joe-Smith, Adams 

Jane-Doe, Smith 

Basically I want to get rid of the sophos_event_input suffix.

How will I go about this? 

Labels (4)
0 Karma
1 Solution

livehybrid
SplunkTrust
SplunkTrust

Hi @Splunkie 

Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?

You could do the following at search time:

| rex field=Username_Field mode=sed "s/ sophos_event_input$//" 

(See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex)

Alternatively you could use a REPLACE function:

| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")

You could also make this an automatic calculated field so that you dont need to include it in your SPL:

livehybrid_0-1753263245091.png

 

If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:

# props.conf #
[yourSourcetype]
SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

livehybrid
SplunkTrust
SplunkTrust

Hi @Splunkie 

Do you want this to affect the raw data (e.g when its indexed) or do you want the original string to exist in the data but also have a field which has it without the suffix?

You could do the following at search time:

| rex field=Username_Field mode=sed "s/ sophos_event_input$//" 

(See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex)

Alternatively you could use a REPLACE function:

| eval cleaned_Username=REPLACE(Username_Field," sophos_event_input","")

You could also make this an automatic calculated field so that you dont need to include it in your SPL:

livehybrid_0-1753263245091.png

 

If you want this to be replaced in the _raw event at index time then you need to deploy a props.conf file within a custom app to your HF or Indexers (whichever the data lands on first) with something like this:

# props.conf #
[yourSourcetype]
SEDCMD-removeSophosSuffix = "s/ sophos_event_input//g"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Splunkie
Explorer

Thanks livehybrid, 

The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that.

Cheers.

 

gcusello
SplunkTrust
SplunkTrust

Hi @Splunkie ,

do you want to do this at index time, recording the modified events or at search time (only in visualization)?

if at search time, you can use a regex in your searches like the following:

| rex mode=sed "s/sophos_event_input/ /g"

if at index time, you should put in the props.conf:

[<your_sourcetype>]
SEDCMD = "s/sophos_event_input/ /g"

This conf file must be located in the first full Splunk instance where data pass through, in other words in the first Heavy Forwarder (if present) or otherwise on the Indexers.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...