Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex to remove first occuring numeric values with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to remove the numeric value and comma which is occurring on the first line beginning
1,Woolworths appoints new chief executive
2,Retailer Woolworths has appointed Roy Bagattini as its new group chief executive officer (CEO), with former chief Ian Moir set to step down on 16 February.
123,Walmart is joining Albertsons and Kroger
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj
Try something like this:
your search...|rex field=_raw "^\d+\,(?P<text>.+)$"
If that original string is already extracted to another field, replace _raw with your fieldname.
Let me know if that works!
https://regex101.com/r/W7Ea2p/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj
Try this
| makeresults
| eval string="1,Woolworths appoints new chief executive#
2,Retailer Woolworths has appointed Roy Bagattini as its new group chief executive officer (CEO), with former chief Ian Moir set to step down on 16 February.#
123,Walmart is joining Albertsons and Kroger"
| makemv delim="#" string
| mvexpand string
| eval temp=split(string,",")
| eval result=mvindex(temp,1) |table result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where does the '#' comes from?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For creating dummy event I had added # in the text to break
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vnravikumar thanks it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj
Try something like this:
your search...|rex field=_raw "^\d+\,(?P<text>.+)$"
If that original string is already extracted to another field, replace _raw with your fieldname.
Let me know if that works!
https://regex101.com/r/W7Ea2p/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nickhillscpl cool ! worked , thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security
Announcing Modern Navigation: A New Era of Splunk User Experience
Detection Engineering Office Hours: Real-World Troubleshooting & Q&A
