topic Re: How to replace a dynamic string in an event? in Splunk Search

How to replace a dynamic string in an event?

marisstella — Tue, 25 Feb 2020 17:59:57 GMT

I want to replace a dynamic string in an event..
Example: error occurred from the server ABCXYZ12345ABCXYZ under lenderprice hop...

Here "ABCXYZ12345ABCXYZ" is dynamic field. So i want to replace this string with XZXYYZZ"

Re: How to replace a dynamic string in an event?

adamsaul — Tue, 25 Feb 2020 18:25:43 GMT

Here is the search string I used to test. Please note that field=orig_field will need to be adjusted to whatever the field name is in question, can even be _raw

| makeresults | eval orig_field="error occurred from the server ABCXYZ12345ABCXYZ under lenderprice hop" | rex mode=sed field=orig_field "s/(?i)server\s+(\S+)\s+under/XZXYYZZ/g"

Re: How to replace a dynamic string in an event?

marisstella — Wed, 26 Feb 2020 01:39:53 GMT

Thanks for quick response, it is working fine... But I have around 300 different error messages, for all of then I want to replace a string it may be correlationID, Hostname,etc... Using your query, I will replace the string but the field name should be the same for all of 300 messages. How can I achieve this?

Re: How to replace a dynamic string in an event?

marisstella — Wed, 26 Feb 2020 03:09:57 GMT

| makeresults | eval origin="error occurred from the server ABCXYZ12345ABCXYZ under lenderprice hop"
|append[makeresults|eval origin="error occurred from the server SDFDKJ54121XV under lenderprice hop"]| rex mode=sed field=origin "s/(?i)server\s+(\S+)\s+under/server xxx-yyy under/g"

Re: How to replace a dynamic string in an event?

to4kawa — Wed, 26 Feb 2020 09:46:01 GMT

...
|rex mode=sed "s/(?<=server )\S+/XZXYYZZ/g"

Re: How to replace a dynamic string in an event?

marisstella — Wed, 26 Feb 2020 10:05:33 GMT

I think, we're almost close to resolution..... Let's we have different type of error messages like this, so in every message we want replace one string like CorrelationID, hostname... so how can you replace the string on different error messages and combine as a single field. So that I can use this field anywhere in the dashboard or report?

Re: How to replace a dynamic string in an event?

to4kawa — Wed, 26 Feb 2020 10:12:57 GMT

correlationID?Hostname?
I don't know.

Re: How to replace a dynamic string in an event?

marisstella — Wed, 26 Feb 2020 10:50:47 GMT

No no....I have already replaced majority of the strings based on your regex or idea.
Let's say, I have already wrote regex and able to replace.... Then how do I apply all the replaced strings with single fields...

Re: How to replace a dynamic string in an event?

to4kawa — Wed, 26 Feb 2020 11:10:20 GMT

all the replaced strings with single fields.
I don't know what these are.

...
 | rex "(?<=server )(?<anyfields>\S+)"
 | eventstats values(anyfields) as anyfields
 | eval single=mvjoin(anyfields,":")

Re: How to replace a dynamic string in an event?

marisstella — Wed, 30 Sep 2020 04:25:18 GMT

I'm sorry, I'm just confused. How can I apply these changes on _raw data?
When I use the field as | eval _raw=error from server ABCD1234 under lp sy stem.. | rex mode=sed field=error_message "s/(?i)server\s+(\S+)/server xxx-yyy/g"
This is done to _raw, but din't see any changes in the raw data., The Idea is we need to remove the duplicate errors triggering...

Re: How to replace a dynamic string in an event?

to4kawa — Wed, 30 Sep 2020 04:21:52 GMT

my answer changes _raw.
If rex option field= is not set, this works to _raw.
your query has field=error_message.

Re: How to replace a dynamic string in an event?

marisstella — Thu, 27 Feb 2020 11:42:06 GMT

Ohh, thanks!!! It will be very useful for L2 team...