Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

rex n replace or rex and optional find

TobiasBoone
Communicator
‎10-16-2014 02:14 PM

cs_username field contains multiple formats of username in the form of:
username
domain\usernam
username@domain.com

Q #1 How to I remove domain\ or @domian.com elegantly

&

Q #2 How do I deduplicate those usernames that have different case sensitivies
username
USERNAME

I just want one list of usernames to pipe back into a subsearch

Driving me crazy.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 03:05 PM

Something like this?

main search foo [subsearch foo | eval username = lower(replace(username, "@.*", "")) | dedup username | fields username]

Removes everything after an @ symbol, converts to lower case, dedups, builds a huge OR'd expression to filter the main search.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 03:05 PM

Something like this?

main search foo [subsearch foo | eval username = lower(replace(username, "@.*", "")) | dedup username | fields username]

Removes everything after an @ symbol, converts to lower case, dedups, builds a huge OR'd expression to filter the main search.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-20-2014 03:36 PM

Does that mean your question is solved?

0 Karma
Reply
Solved! Jump to solution

TobiasBoone
Communicator
‎10-20-2014 12:27 PM

I wasn't using eval in conjunction with the replace command correctly 😞

This example with another pipe to eval to get rid of the domain\ seems to be doing the trick. Thank you SO much.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...