topic Re: Help on removing the double quotes and reading a substring in Splunk Search

Re: Help on removing the double quotes and reading a substring

manojchacko78 — Fri, 30 Sep 2022 08:35:28 GMT

Need one more help, from the below log, i am able to remove all the wild characters using below script, but need to retain the commas in the texts (in italics) between Message and Details, similarly for Message and Success

Appreciate the help

| eval "EM"=if(isnotnull('cip:AuditMessage.MessageText'),'cip:AuditMessage.MessageText',"Data Not Found")
| rex field=EM max_match=0 "(?<ErrMes>\w+)"
| eval ErrorMessage = mvjoin (ErrMes, " ")
| rex field=ErrorMessage Message\s+(?<ErrorResponse>.*)\s+Details\s+Message\s+(?<ErrorResponse2>.*)\s+Success

{"@odata.context":"https://apistaging.payspace.com/odata/v1.0/11997/$metadata#Employee/$entity","Message":"The Nationality field is required., The Province field is required., The Code field is required., The Country field is required.","Details":[{"Message":"The Nationality field is required."},{"Message":"The Province field is required."},{"Message":"The Code field is required."},{"Message":"The Country field is required."}],"Success":false}

Re: Help on removing the double quotes and reading a substring

gcusello — Fri, 30 Sep 2022 08:56:45 GMT

Hi @manojchacko78,

this isn't naother question, anyway, could you share the desidered output?

Ciao.

Giuseppe

Re: Help on removing the double quotes and reading a substring

manojchacko78 — Fri, 30 Sep 2022 09:39:32 GMT

Hi @gcusello

Thanks for the reply

This is what i am getting as raw

{"@odata.context":"https://url.com","Message":"The Nationality field is required., The Province field is required., The Code field is required., The Country field is required.","Details":[{"Message":"The Nationality field is required."},{"Message":"The Province field is required."},{"Message":"The Code field is required."},{"Message":"The Country field is required."}],"Success":false}

Now the bold text above is the desired output i am trying to extract. This bold texts always comes between these two words Message":" and ","Details

Kindly advise

Re: Help on removing the double quotes and reading a substring

gcusello — Fri, 30 Sep 2022 10:00:54 GMT

Hi @manojchacko78,

please try thi regex:

\"Message\":\"(?<Message>[^\"]+)\",\"Details

that you can test at https://regex101.com/r/8zMJIf/1

Ciao.

Giuseppe

Re: Help on removing the double quotes and reading a substring

manojchacko78 — Fri, 30 Sep 2022 10:13:26 GMT

Now as the below code, all the wild characters are removed

I am getting the extracted message, so these are basically 4 error messages separated by commas, but since i am removing all the wild characters the comma is gone. So the commas should be extracted as it is

The Nationality field is required The Province field is required The Code field is required The Country field is required

Re: Help on removing the double quotes and reading a substring

gcusello — Fri, 30 Sep 2022 10:25:36 GMT

Hi @manojchacko78,

let me understand: you want to remove commas having one message field or you want four messages?

in the first case, you can use replace

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details" | replace "," WITH ""

if instead you want four messages you have to use two regexes, please try this regex:

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details" | rex field=Full_Message "((^)|(,\s+))(?<Message>[^\.]+)"

Ciao.

Giuseppe

Re: Help on removing the double quotes and reading a substring

SinghK — Fri, 30 Sep 2022 10:43:40 GMT

I have moved the post to new post.

@manojchacko78 please ask new questions in separate posts.

regards,

Singhk

Re: Help on removing the double quotes and reading a substring

manojchacko78 — Fri, 30 Sep 2022 12:12:48 GMT

This one worked like a gem

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details"