Regex help please

dmenon · ‎04-02-2020

I have field username - they show up as username=mike and in some cases username=mike. with a dot in the end. How do I remove the dot from end? This is messing my stats values(xyz) by username.

vnravikumar · ‎04-02-2020

Hi

Try this also

........| eval username=replace(username,".$","")

woodcock · ‎04-02-2020

There are many ways; here is one:

... | rex field=username mode=sed "s/\.+$//g"

vinod94 · ‎04-02-2020

Hi dyude @dmenon ,

You can try this,

rex field=username "(?P<username>[^\.]+)"

jpolvino · ‎04-02-2020

If a period is legal inside, but the line always has to end with a period, this might work for you:
|rex field=username "username=(?<username>.+)\.$"

gcusello · ‎04-02-2020

Hi @dmenon,
if you username hasn't spaces, you can try this:

| rex field=username "^(?<username>\w+)"

that you can test at https://regex101.com/r/mfLTm3/1

if instead you could have spaces in the username field, you could try this:

| rex field=username "^(?<username>.+)(\.|$)"

that you can test at https://regex101.com/r/mfLTm3/2

Ciao.
Giuseppe

Regex help please

Splunk Answers Content Calendar, July Edition I

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Are you a member of the Splunk Community?

Regex help please

Splunk Answers Content Calendar, July Edition I

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM