Solved: Re: Remove timestamps using regex

oliverpeloton23 · ‎11-16-2021

Hi Splunk Community,

It's been a while since I've last used Splunk and regex, and now I'm struggling with both 🙂

Fields that I need to use ("resourceId") contain two user IDs and timestamps (e.g., "owner-10785-user-3801-key-1637099215"). I'm looking to keep the IDs and remove timestamps (basically everything after "owner-19803-user-8925-").

I came up with this clumsy thing:

index=main | eval resourceId1=replace (resourceId, "user-(?<user_id>\d+)", "") | eval resourceId2=replace (resourceId1, "owner-(?<owner_id>\d+)", "") | table resourceId2

It kind of works, the only problem is that it gives me the opposite result - it removes all the IDs leaving the timestamps, like this:

resourceId2
--key-1637100297
--1637100120.0929909
--key-1637100118

But I need the opposite. Can anyone please help?

ITWhisperer · ‎11-16-2021

| rex field=resourceId "owner-(?<owner>\d+)-user-(?<user>\d+)"
| eval resourceId2="owner-".owner."-user-".user

View solution in original post

ITWhisperer · ‎11-16-2021

| rex field=resourceId "owner-(?<owner>\d+)-user-(?<user>\d+)"
| eval resourceId2="owner-".owner."-user-".user

oliverpeloton23 · ‎11-16-2021

Thank you!

Remove timestamps using regex

regex

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies