Solved: Remove string from field using REX or Replace

smcdonald20 · ‎06-01-2017

I have a field, where all values are pre-fixed with "OPTIONS-IT\".
I would like to remove this, but not sure on the best way to do it.

example
User
OPTIONS-IT\smcdonald
OPTIONS-IT\jbloggs

I would like to change to
User
smcdonald
jbloggs

I have tried eval User= replace (User, "OPTIONS-IT\", "") but this doesn't work.

The regular expressions I have used have not worked either.
Any help appreciated.

dineshraj9 · ‎06-01-2017

These methods support regular expression and "\" will be treated as escape character.
Do it this way -

<your search> | rex field=User "OPTIONS.IT.(?<User>\S+)"

OR

<your search> | eval User=replace (User, "OPTIONS\-IT.", "")

Splunkie · ‎07-22-2025

I am having a similar issue however in my case the field always has a suffix of sophos_event_input after the username. Example

User

Joe-Smith, Adams sophos_event_input

Jane-Doe, Smith sophos_event_input

I would like to change the User field to

User

Joe-Smith, Adams

Jane-Doe, Smith

Basically I want to get rid of the sophos_event_input suffix.

How will I go about this?

woodcock · ‎06-01-2017

Like this (needs more escape characters):

... | rex field=User mode=sed "s/OPTIONS-IT\\\//g"

ljalvrdz · ‎08-30-2018

This one works great! Thanks!

gcusello · ‎06-01-2017

Hi smcdonald20,
Try the following command

your_search | rex field=your_field "OPTIONS-IT\\(?<username>[^ ]*)"

Bye.
Giuseppe

dineshraj9 · ‎06-01-2017

These methods support regular expression and "\" will be treated as escape character.
Do it this way -

<your search> | rex field=User "OPTIONS.IT.(?<User>\S+)"

OR

<your search> | eval User=replace (User, "OPTIONS\-IT.", "")

daymauler · ‎09-02-2021

Worked like charm!!! Thanks

Remove string from field using REX or Replace