topic Re: Remove specific substrings from specific values in Splunk Search

Remove specific substrings from specific values

techspec — Fri, 09 Oct 2020 00:24:45 GMT

I have a query that looks for certain error messages and displays a list sorted by most common occurrence. My problem is that some of these error messages contain unique IDs, causing them to show as separate results.

The first 3 messages below end with unique values - how do I update this query to output those error messages without the unique values after the * mark, or even replace with another string like "redacted"?

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0 ( extraData.message="Incorrect email or password for*" OR extraData.message="Street address and/or city is too long*" OR extraData.message="The following address could not be found:*" OR extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR extraData.message="The network connection was lost." ) | stats count by extraData.message | sort -count

Re: Remove specific substrings from specific values

Pathik — Fri, 09 Oct 2020 04:41:59 GMT

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count

Re: Remove specific substrings from specific values

isoutamo — Fri, 09 Oct 2020 04:56:08 GMT

Hi
Other option is use rex mode=sed
r. Ismo

Re: Remove specific substrings from specific values

techspec — Fri, 09 Oct 2020 18:33:10 GMT

Thanks - what you suggested makes sense, but I used it exactly as you showed and get "no results found":

Re: Remove specific substrings from specific values

isoutamo — Fri, 09 Oct 2020 18:46:33 GMT

With like you must use % and _ instead of *
https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/ConditionalFunctions

Re: Remove specific substrings from specific values

techspec — Fri, 09 Oct 2020 19:36:03 GMT

Thanks - still no luck. Even tried on an error message with no wildcards, just a simple match and replace:

Re: Remove specific substrings from specific values

isoutamo — Sat, 10 Oct 2020 06:03:51 GMT

Try to put ‘ surround your field names.

Re: Remove specific substrings from specific values

techspec — Sat, 10 Oct 2020 15:52:42 GMT

That did it - thanks!