topic Re: replace function itself is not working when i did a splunk search query in Splunk Search

replace function itself is not working when i did a splunk search query

d942725 — Mon, 03 Feb 2020 10:44:05 GMT

I have a use case where i need to pass the previously performed search query to replace the part of message with empty string. environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") The above message in turn obtained must be used to do another operation. But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is. I need to do this asap. can u pls provide a solution ?

Re: replace function itself is not working when i did a splunk search query

richgalloway — Mon, 03 Feb 2020 14:09:49 GMT

In environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") the replace command has a space before "Data" so it does not match the sample event.

Re: replace function itself is not working when i did a splunk search query

d942725 — Mon, 03 Feb 2020 17:24:21 GMT

I've a message as displayed below from the log.

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",". Tried either of the ways without space before Data and without space. But nothing has sorted out the issue. I need to remove the " Data = " in the above message and must be able to get the actual json. Please help with the possible ways.

Re: replace function itself is not working when i did a splunk search query

richgalloway — Mon, 03 Feb 2020 17:44:21 GMT

Based on your comment, consider using rex instead of replace.

| rex field=message mode=sed "s/Data\s*=\s*//"

Re: replace function itself is not working when i did a splunk search query

d942725 — Wed, 30 Sep 2020 04:01:23 GMT

environment="sit" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data ="| rex field=message mode=sed "s/Data\s*=\s*//"

used the above query in Splunk UI

Still able to see the output as below:

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",

" Data = " was still not removed from the actual message:

Re: replace function itself is not working when i did a splunk search query

Vijeta — Mon, 03 Feb 2020 19:15:45 GMT

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"

Re: replace function itself is not working when i did a splunk search query

richgalloway — Mon, 03 Feb 2020 19:29:05 GMT

There must be something about your data that is not included in this question because the following run-anywhere example works.

| makeresults annotate=true | eval message="Data = {\"data\":{\"time\":\"2020-02-03T12:43:49+00:00\"" | rex field=message mode=sed "s/Data\s*=\s*//" | table message

Re: replace function itself is not working when i did a splunk search query

d942725 — Tue, 04 Feb 2020 03:45:10 GMT

But for logstash logs, i have the string data available under the field "message". Is it recommended to do that which doesn't include the field name over there ?

Re: replace function itself is not working when i did a splunk search query

d942725 — Tue, 04 Feb 2020 10:41:54 GMT

This one Worked for me. Thanks a lot.

Re: replace function itself is not working when i did a splunk search query

d942725 — Wed, 30 Sep 2020 04:01:53 GMT

hi richgalloway ♦, rex field=_raw mode=sed "s/Data\s*=\s*//"
the above one worked for me.

Re: replace function itself is not working when i did a splunk search query

Vijeta — Tue, 04 Feb 2020 16:11:45 GMT

@d942725 Welcome :). Can you please accept the answer.

Re: replace function itself is not working when i did a splunk search query

d942725 — Tue, 04 Feb 2020 16:43:17 GMT

Sure, Vl accept the answer.

Thanks