×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Splunkie
Explorer
Member since: ‎04-09-2025
‎07-23-2025
Community Statistics
Posts 6
Solutions 0
Karma Given 3
Karma Received 1
Member Since ‎04-09-2025
Activity Feed
View All

Re: Remove string from field using REX

by in Splunk Search
‎07-23-2025 03:43 AM
1 Karma
‎07-23-2025 03:43 AM
1 Karma
Thanks livehybrid,  The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that. Cheers.   ... View more

Remove string from field using REX

by in Splunk Search
‎07-23-2025 02:00 AM
‎07-23-2025 02:00 AM
I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example Username_Field Joe-Smith, Adams sophos_event_input Jane-Doe, Smith sophos_event_input I would like to change the Username field to only contain the users name, Example Username_Field Joe-Smith, Adams  Jane-Doe, Smith  Basically I want to get rid of the sophos_event_input suffix. How will I go about this?  ... View more
Labels

Re: Remove string from field using REX or Replace

by in Splunk Search
‎07-22-2025 08:12 AM
‎07-22-2025 08:12 AM
I am having a similar issue however in my case the field always has a suffix of sophos_event_input after the username. Example User Joe-Smith, Adams sophos_event_input Jane-Doe, Smith sophos_event_input I would like to change the User field to User Joe-Smith, Adams  Jane-Doe, Smith  Basically I want to get rid of the sophos_event_input suffix. How will I go about this?  ... View more

Re: Query that checks if field values have changed...

by in Splunk Search
‎04-11-2025 05:28 AM
‎04-11-2025 05:28 AM
Thanks @splunkmarroko, Thanks. I tried that, however going about it that way returns the initial events with an "Active" status and does not take into consideration that the status has changed from "Active" to "Resolved". ... View more

Re: Query that checks if field values have changed...

by in Splunk Search
‎04-11-2025 04:11 AM
‎04-11-2025 04:11 AM
Thanks @livehybrid, This works but returns inaccurate results when the search is run using the real time search time filter. This is an example of what I have; | base_search here | stats latest(status) as latest_status by incidentId | where latest_status!="Resolved" | stats count as total   The output is to count the number of active incidents to be displayed on a dashboard. Any pointer or tips on how to better achieve this will be appreciated. Cheers. ... View more

Query that checks if field values have changed to ...

by in Splunk Search
‎04-10-2025 05:54 AM
‎04-10-2025 05:54 AM
Hi Friends, I am working a query that checks if the value of a field has changed to a state of resolved to exclude it from the results of active cases. The field I am trying to use to check if a case has been resold is the status field.  I need help with a query that looks at all cases with the status of Active and removes cases whose status has now changed to Resolved from the results. Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-23-2025 01:56 AM
Karma from
View All
Karma given to
View All