Splunk Search

i want to cut all the words after Modified at first present. i used the command its only cutting Modified value others are still presents. | rex field=ER mode=sed "s/Modified\S+//g "

DataOrg
Builder

Extesnded value Associaated With destiny: "LineIces" - "Actio1n Cod2e"; Modified: Extends Aribute - "Action"; Old Value = "Add"; New Value = "-" Modified

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| rex field=ER mode=sed "s/Modified\S+.*$//g "

But maybe the \S should be \s so try this if that doesn't work:

| rex field=ER mode=sed "s/Modified\s+.*$//g "

Or maybe actually this:

| rex field=ER mode=sed "s/Modified:\s+.*$//g "

View solution in original post

woodcock
Esteemed Legend

Like this:

| rex field=ER mode=sed "s/Modified\S+.*$//g "

But maybe the \S should be \s so try this if that doesn't work:

| rex field=ER mode=sed "s/Modified\s+.*$//g "

Or maybe actually this:

| rex field=ER mode=sed "s/Modified:\s+.*$//g "

abhinav_maxonic
Path Finder

Can you provide a sample, what the event is and what you want to extract out of that event ?

0 Karma

DataOrg
Builder

i want to cut\remove all the character when "Modified" is Present.

EX : Extesnded value Associaated With destiny: "LineIces" - "Actio1n Cod2e"; Modified: Extends Aribute - "Action"; Old Value = "Add"; New Value = "-" Modified

0 Karma

abhinav_maxonic
Path Finder

So if there is field A . When word "Modified" in NOT present in the event, value of A="Add" and when word "Modified" is present is the event, value of A="-" . Is this what you want ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...