topic Re: How do I remove a double inverted comma from a value? in Security

How do I remove a double inverted comma from a value?

maheshsat — Mon, 26 Nov 2018 13:53:49 GMT

I have to remove a double inverted comma from a value.

Query:

| rex "(.Item=(?[^\,]+))"| rex "(.Reserved1=(?[^\,]+))" | rex "(.Reserved2=(?[^\,]+))" | rex "(.Type=(?[^\,]+))" | rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?\"\d+\.\d+\")\,\s+\w+\s+.*"
|rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?\"\d+\.\d+\")\,\s+\w+\s+.*"

I have to remove the double inverted comma from value below. I have written the above query, but the double inverted comma is not getting removed.

Output:

Line_Item            “TFT Details Member” 
LG_Reserved1      “000000 “  
LG_Reserved2      “0000”  
Balance_Test         “Test“ 
Balance_Entered   “1238996555” 
Balance_Test         “8487347327473”

Re: How do I remove a double inverted comma from a value?

FrankVl — Mon, 26 Nov 2018 14:07:12 GMT

Can you please edit your question and post your code as code (using the 101010 button in the editor toolbar). Now it seems certain special characters are missing from your regular expressions.

In general it is not entirely clear looking at the rex commands your provide and the sample data, how these two align and what exact code is your attempt to remove the double quotes.

I believe there are multiple actual characters to represent ", so make sure you use the correct one.

Re: How do I remove a double inverted comma from a value?

Richfez — Mon, 26 Nov 2018 14:30:31 GMT

EDIT: I fixed the code to use the code tags, so it should come across now.

Re: How do I remove a double inverted comma from a value?

maheshsat — Tue, 29 Sep 2020 22:11:28 GMT

I was able to find out answer but still two field are remaining Balance_Entered & Balance_Test

| rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?<Balance_Entered>\"\d+\.\d+\")\,\s+\w+\s+.*"
|rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?<Balance_Test>\"\d+\.\d+\")\,\s+\w+\s+.*"

I got the answer below is the query but still last two fields

Balance_Entered “1238996555”
Balance_Test “8487347327473”

Re: How do I remove a double inverted comma from a value?

Richfez — Mon, 26 Nov 2018 15:28:58 GMT

You should be able to move those quote marks outside the capture group.

The capture group is (?<Balance_Test>\"\d+\.\d+\") so move the quotes outside, like \"(?<Balance_Test>\d+\.\d+)\". Repeat with Balance_Entered.

Re: How do I remove a double inverted comma from a value?

Richfez — Mon, 26 Nov 2018 15:30:11 GMT

Also EDIT: I fixed the non-code to not use the code tags, so it looks better. 🙂

Re: How do I remove a double inverted comma from a value?

FrankVl — Mon, 26 Nov 2018 15:33:57 GMT

Apart from any characters that had already disappeared like anything between <>. @maheshsat needs to really repost it himself. As he did in the answer below.

Re: How do I remove a double inverted comma from a value?

maheshsat — Mon, 26 Nov 2018 15:37:07 GMT

Its workes Thanks really appreciate Rich

Re: How do I remove a double inverted comma from a value?

FrankVl — Mon, 26 Nov 2018 15:38:29 GMT

This still doesn't make a whole lot of sense to me. Your regex to capture those 2 fields says \"\d+\.\d+\" so double quote, followed by numbers, followed by a dot, followed by more numbers, followed by a double quote.

That doesn't line up with the data you are showing (data doesn't include any dots) and it also doesn't make sense to capture the double quotes if that was the thing you wanted to get rid of.

Re: How do I remove a double inverted comma from a value?

maheshsat — Mon, 26 Nov 2018 15:39:19 GMT

Can you reply your answer again , I have to accept your answer

Re: How do I remove a double inverted comma from a value?

Richfez — Sun, 02 Dec 2018 13:15:54 GMT

Is this still an issue?

If I were you, I would head to regex101.com, paste into the bottom a couple of your events where this data is.
Then on the top, start with your first piece of your regex: \d+, see how it matches, then keep adding in the above until you find where it breaks or does the wrong thing. It's a methodical way to uncover small mistakes, and also helps a lot in understanding your regex.

Or post a handful of those events in here and we can match them for you.