Solved: Re: Remove only fields that do not have suffix

duesser · ‎11-01-2023

Basically I have a search with a lot of fields, similar to this example:

| makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5

from this I would basically like to keep everything except for aa* that does not contain the suffix x. I tried

| fields -aa* aa*x

as well as similar approaches, but they do not work:

1) either deleting all aa* (including aa*x)

2) not keeping b or

3)not deleting aa* at all.

I would know how to solve this with regex: "aa.+(?<!x)$" as can be seen here:

https://regex101.com/r/JfVHCJ/latest

Is there any SPL equivalent?

ITWhisperer · ‎11-01-2023

| makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5
| rename aa*x as xaa*x
| fields - aa*
| rename xaa*x as aa*x

View solution in original post

ITWhisperer · ‎11-01-2023

| makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5
| rename aa*x as xaa*x
| fields - aa*
| rename xaa*x as aa*x

richgalloway · ‎11-01-2023

Have you tried this?

| makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5
| fields + aa*x b

---
If this reply helps you, Karma would be appreciated.

duesser · ‎11-01-2023

While this is possible, there are a lot of b's in the real search and I am looking for a way to not have to write those out individually. - I would like a negative formulation if possible

Remove only fields that do not have suffix

fields

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector