topic Re: SEDCMD search inline question in Splunk Search

SEDCMD search inline question

tkwaller — Fri, 08 Apr 2016 16:16:18 GMT

I am trying to test a sedcmd command, inline, that Im going to add. I am finding a string and replacing it with a field="string with spaces"
Heres a log sample:
2016-04-08 15:04:14,711 [_498147344979146612131995] priority=ERROR thread=http-nio-10010-exec-9 location=com.xxx.search.suggest.v3.impl Found invalid sort sields, invalidFields=eventDateLocal asc

I want to replace:
Found invalid sort sields

with:
message="Found invalid sort fields"

Ive tried several different options including this:
index=java host=src sourcetype=tomcat:src:server "Found invalid sort sields" | rex mode=sed "s/\sFound\sinvalid\ssort\ssields/ message="\"Found invalid sort fields\""/g"

But this errors:
Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

Any thoughts on how I can get around this?

Re: SEDCMD search inline question

somesoni2 — Fri, 08 Apr 2016 16:56:26 GMT

Try like this (run anywhere sample)

| gentimes start=-1 | eval _raw="2016-04-08 15:04:14,711 [_498147344979146612131995] priority=ERROR thread=http-nio-10010-exec-9 location=com.xxx.search.suggest.v3.impl Found invalid sort sields, invalidFields=eventDateLocal asc" | table _raw 
| rex mode=sed "s/(Found\sinvalid\ssort\ssields)/Message=\"\1\"/"

Re: SEDCMD search inline question

tkwaller — Fri, 08 Apr 2016 17:29:15 GMT

So I took your above and modified my search from using:

rex mode=sed "s/\sFound\sinvalid\ssort\ssields/ message="\"Found invalid sort fields\""/g"

to use:
rex mode=sed "s/(Found\sinvalid\ssort\ssields)/message=\"Found invalid sort fields\"/g"

Works now
Thanks!

Re: SEDCMD search inline question

wrangler2x — Fri, 08 Apr 2016 17:54:20 GMT

The parens around the search string capture the matched string. This is why he uses the \1 in the replace string. If your log sample really has sields instead of fields and you not only want to add message= to it, but also change the spelling the \1 can't be used. However, if the log sample really has fields then the \1 should work dandy!

Re: SEDCMD search inline question

tkwaller — Fri, 08 Apr 2016 18:05:40 GMT

Really?
Cause I used this:
index=java host=src sourcetype=tomcat:src:server earliest=-4h "Found invalid sort sields"| rex mode=sed "s/(Found\sinvalid\ssort\ssields)/message=\"Found invalid sort fields\"/g"

And got the results:
2016-04-08 16:59:48,521 [_498840895039862628422332] priority=ERROR thread=http-nio-10010-exec-6 location=com.xxx.search.suggest.v3.impl message="Found invalid sort fields", invalidFields=eventDateLocal asc

What makes you say it doesn't work?

Re: SEDCMD search inline question

tkwaller — Fri, 08 Apr 2016 18:07:55 GMT

Removing the parens returns the same results as well

Re: SEDCMD search inline question

wrangler2x — Fri, 08 Apr 2016 18:33:39 GMT

I did not say it does not work. I said the parentheses are used to capture the matched data, and the \1 returns that in the replace string. If you are going to use a literal replace string -- as you are showing you are doing, you don't need the parentheses or the \1. I am kind of curious why your log entry has that mis-spelling of the word fields as sields.

Re: SEDCMD search inline question

tkwaller — Fri, 08 Apr 2016 19:52:03 GMT

Sure sure, I understand.
Thanks!