topic Re: How to edit my rex mode=sed syntax to remove parts of a string value? in Splunk Search

How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Wed, 17 Aug 2016 17:16:45 GMT

Hello,

Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been able to identify any relevant posts elsewhere...

I've got a simple chart I'm trying to modify. Basically, it looks at a syslog message and charts the top 10 'x' based on the number of messages that have been generated.

Pseudo-search-code looks like:

Interesting_String_Value | top 10 field19

Now, what comes out of it is a chart (top 10) as you would expect, but the values look like:

field-description="actual_value"

I want to remove all pieces except for the actual_value (including quotations)

I'd assume I could handle this via rex mode=sed, but I'm not having any luck...

rex mode=sed 's/field-description\=//g;s/\"//g'

Help? : )

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

richgalloway — Wed, 17 Aug 2016 17:56:40 GMT

I suspect you need two separate commands. Try this

... | rex mode=sed 's/field-description\=//g' | rex mode=sed 's/\"//g' | ...

... | replace "field-description=" with "" in field19 | replace '"' with '' in field19 | ...

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

sundareshr — Wed, 17 Aug 2016 18:05:57 GMT

Try this (wasn't sure if you wanted to keep the quotes or remove, this removes the quotes.

.. | rex mode=sed "s/.*"([^"]+)"/$1/g" | ...

OR this, if you want to retain the quotes

... | rex mode=sed "s/.*("[^"]+")/$1/g" | ...

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Wed, 17 Aug 2016 18:06:17 GMT

Sadly both seem to have the same effect... (nothing). field-description="" is still there. Even trying just 'field-description' removal doesn't seem to work.

Thanks for the help,

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Wed, 17 Aug 2016 18:17:03 GMT

I get some...interesting errors with both of those.

I'd like to have the output in the chart be:

actual_value

instead of

field-description="actual_value"

Error in 'SearchParser': Missing a search command before '^'.
where field19 != "...{snipped} {errorcontext = d "s/.*"([^"]+)"/$1/g}'.

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

sundareshr — Thu, 18 Aug 2016 02:29:04 GMT

My bad. Forgot to escape the quotes. Try this

... | rex mode=sed "s/.*\"([^\"]+)\"/\1/g"

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

inventsekar — Thu, 18 Aug 2016 03:11:14 GMT

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

sundareshr — Thu, 18 Aug 2016 03:20:34 GMT

Good point. I believe field19 has the values

Interesting_String_Value | top 10 field19 | rev field=field19 "\"(?<field19>[^\"]+)\""

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Thu, 18 Aug 2016 13:32:59 GMT

Sorry, I should have caught that as well. This one runs, but the end result is still the same in the chart 😞

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Thu, 18 Aug 2016 13:35:07 GMT

Sundareshr's worked! Thank you!

Do you want to pop that into an answer for credit?

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Thu, 18 Aug 2016 13:35:34 GMT

(obviously substituted 'rev' for 'rex'

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

inventsekar — Thu, 18 Aug 2016 14:21:27 GMT

Yes Please 😉 .. an upvote and/or accept as answer would be Great !

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy — Thu, 18 Aug 2016 15:40:27 GMT

Not seeing a way to do this for a comment - maybe if you repost it as a top-level answer?

Re: How to edit my rex mode=sed syntax to remove parts of a string value?

inventsekar — Thu, 18 Aug 2016 16:20:58 GMT

not this comment.. this whole reply, you can "Accept this as answer".. also the upvote button(^)