0

I have a field where all values have the following format:

Knowledge:xyz,id:2907129

The id number always changes, however, all I want is the value of xyz.

I used the following to remove "Knowledge:"e

eval url=replace (url, "Open_KnowledgeZone:", "")

For the id portion, using ",id*" did not work within the eval replace function.

wra
  • 237
  • 4
  • 7
  • 18

1 Answers1

1

You'll want to use a regex. Something like:

rex field=url "(?<=Knowledge:)(?<AnyFieldName>.*)(?=,)"

Where <AnyFieldName> is the name you want the result field to be. This will select all characters after "Knowledge:" and before the ",".

Here is the regex in action outside of Splunk:

https://regex101.com/r/ofW0a1/1

TroggleDorf
  • 410
  • 2
  • 8
  • 14
  • And this is a very simple example. You could make it more elegant, such as searching for the first ":" instead of the literal "Knowledge:". You can make more restrictive, such as making sure "xyz" are always three characters long; right now it will take any string up to the first ",". If you are unfamiliar with Regular Expressions here is a great place to start: https://regexone.com/ – TroggleDorf Feb 14 '18 at 13:13
  • That worked great! And thank you for the additional info. I will definitely read up on it! – wra Feb 14 '18 at 14:17