Splunk Search

use regex to remove a number from a string

matansocher
Contributor

Hi,

I want to remove a number (up to 5 digits) from a string on its beginning.
an example:

43.aaaa_vvvvv.cccccc:dddddd => aaaa_vvvvv.cccccc:dddddd
9374.aaaa_vvvvv.cccccc:dddddd => aaaa_vvvvv.cccccc:dddddd
1.aaaa_vvvvv.cccccc:dddddd => aaaa_vvvvv.cccccc:dddddd

I only need to remove the first number and the "." after it.

thanks

0 Karma
1 Solution

niketn
Legend

@matansocher, is this a field or raw data?
You can try the following rex command:

<your base search>
| rex field=_raw "\d+.(?<myData>.*)"
| table _raw myData

I have use field name as _raw but you can replace with your own if it is some other field. Alternatively you can also use replace() command with regular expression if this is a field.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

nikita_p
Contributor

Hi matansocher,
Try the regex below. Let me know if this works.
index=xyz| rex field=_raw "^(?P[^.]+)"

0 Karma

ryhluc01
Communicator

This produces this message:

"Error in 'rex' command: Encountered the following error while compiling the regex '^(?P[^.]+)': Regex: unrecognized character after (?P"

0 Karma

niketn
Legend

@matansocher, is this a field or raw data?
You can try the following rex command:

<your base search>
| rex field=_raw "\d+.(?<myData>.*)"
| table _raw myData

I have use field name as _raw but you can replace with your own if it is some other field. Alternatively you can also use replace() command with regular expression if this is a field.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...