Solved: Re: Remove timestamps using regex

oliverpeloton23 · ‎11-16-2021

Hi Splunk Community,

It's been a while since I've last used Splunk and regex, and now I'm struggling with both 🙂

Fields that I need to use ("resourceId") contain two user IDs and timestamps (e.g., "owner-10785-user-3801-key-1637099215"). I'm looking to keep the IDs and remove timestamps (basically everything after "owner-19803-user-8925-").

I came up with this clumsy thing:

index=main | eval resourceId1=replace (resourceId, "user-(?<user_id>\d+)", "") | eval resourceId2=replace (resourceId1, "owner-(?<owner_id>\d+)", "") | table resourceId2

It kind of works, the only problem is that it gives me the opposite result - it removes all the IDs leaving the timestamps, like this:

resourceId2
--key-1637100297
--1637100120.0929909
--key-1637100118

But I need the opposite. Can anyone please help?

ITWhisperer · ‎11-16-2021

| rex field=resourceId "owner-(?<owner>\d+)-user-(?<user>\d+)"
| eval resourceId2="owner-".owner."-user-".user

View solution in original post

ITWhisperer · ‎11-16-2021

| rex field=resourceId "owner-(?<owner>\d+)-user-(?<user>\d+)"
| eval resourceId2="owner-".owner."-user-".user

oliverpeloton23 · ‎11-16-2021

Thank you!

Remove timestamps using regex

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation