Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get rid of extra space from the output of a splunk query

maramk
Explorer
‎10-04-2021 06:30 PM

Hi Guys,

     I have a splunk command which returns a filename as the output. But i found that there is an extra space before and after the filename.

query i am running here is,

filetest | rex "sent to:  https://someurl/(?<file>.*)" | table file

 

Output displayed as:

...............................

..............................

.............................

..............................

file.txt

.............................

...........................

............................

 

how can i get rid of the extra space before and after the file name?

 

Thanks.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

maramk
Explorer
‎10-05-2021 03:52 PM

@danielcj and @Azeemering ,

 

adding "where isnotnull(json)" at the end of the query fixed the issue.

 

Thanks.

0 Karma
Reply

danielcj
Communicator
‎10-05-2021 01:41 PM

Hello,

 

The extra spaces of the file name are blank spaces? If so, you could use the trim command to remove these spaces like the following:

| rex "sent to:  https://someurl/(?<file>.*)" 
| eval file = trim(file)
| table file

 

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:35 PM

hi @danielcj ,

    Thanks for the response. The above command you suggested doesn't remove extra lines. Its returning the same result before and after.

  I am running the query to match a file name from the splunk logs and extracting it to display. But there are empty lines before and after the file name as below.

output:

............................

...........................

..........................

file.txt

.........................

.....................

..................

 

can you suggest me anything better. Appreciate your response.

 

Thanks.

Thanks.

0 Karma
Reply

Azeemering
Builder
‎10-05-2021 01:25 PM

Can you try

| rex field=file mode=sed "s/(^\s+)|(\s+$)//g"

0 Karma
Reply

maramk
Explorer
‎10-05-2021 02:38 PM

Hi @Azeemering ,

 

   I tried it as you suggested well. Check the command i run below for my query. Please suggest me if i can make it better to get the file name without empty lines before and after.

 

filename | rex "uploaded to: s3:someurl/(?<json>.*)" | rex field=json mode=sed "s/(^\s+)|(\s+$)//g" | table json

 

output still showing as,

................................

..............................

.............................

file.txt

..............................

..............................

............................

 

I have to get rid of those extra lines and display just the file name. I appreciate your help

 

Thanks.

 

Thanks. 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...