Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: regex to remove first occuring numeric values ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to remove the numeric value and comma which is occurring on the first line beginning
1,Woolworths appoints new chief executive
2,Retailer Woolworths has appointed Roy Bagattini as its new group chief executive officer (CEO), with former chief Ian Moir set to step down on 16 February.
123,Walmart is joining Albertsons and Kroger
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj
Try something like this:
your search...|rex field=_raw "^\d+\,(?P<text>.+)$"
If that original string is already extracted to another field, replace _raw with your fieldname.
Let me know if that works!
https://regex101.com/r/W7Ea2p/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj
Try this
| makeresults
| eval string="1,Woolworths appoints new chief executive#
2,Retailer Woolworths has appointed Roy Bagattini as its new group chief executive officer (CEO), with former chief Ian Moir set to step down on 16 February.#
123,Walmart is joining Albertsons and Kroger"
| makemv delim="#" string
| mvexpand string
| eval temp=split(string,",")
| eval result=mvindex(temp,1) |table result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where does the '#' comes from?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For creating dummy event I had added # in the text to break
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vnravikumar thanks it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj
Try something like this:
your search...|rex field=_raw "^\d+\,(?P<text>.+)$"
If that original string is already extracted to another field, replace _raw with your fieldname.
Let me know if that works!
https://regex101.com/r/W7Ea2p/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nickhillscpl cool ! worked , thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
