Please note that I don;t have an option to use replace/sub since I have to do this splunk.
Splunk most certainly has ways of replacing values in strings – either by using rex in sed mode, or by using eval replace()
This regular expression will pull what you’re looking for:
| rex field=_raw "\"(?<subject>[^\"]+)"
Follow it by replacing the \r\n:
| eval subject=replace(subject,"[\r\n]+","")
If that replace does not work for you (sometimes those hidden characters show up as sequential whitespace instead), do this:
| eval subject=replace(subject,"\s\s+"," ")
from User warren – Stack Overflow https://stackoverflow.com/questions/74122892/exclude-string-from-matched-result-in-regex/74124502#74124502
via IFTTT