I have a search that returns a user field i.e. user="username". This gets reported by one system as user="u'username'" this is generating false positives for unknown users.
I want to modify the user field, if necessary to remove the u' at the start and the ' at the end. I have a way but it seems cumbersome
| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user)
I'd be interested if there's a better way since I have another mis-report where the username has a : appended to it. using a similar eval but with an rtrim I could remove it but the search would be getting very heavy then.
| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user) | eval user=if(like(user,"%:"), rtrim(user,":") ,user)
I feel there ought to be a regular expression way of doing this but I can't work it out.
Thanks
... View more