Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

replace - search reference command questions

jluste
Path Finder
‎08-09-2013 07:43 AM

Please see URL that I am referring to: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Replace

I am trying to utilize a log that has url values that have been percent encoded. I want to replace these encoding characters with their decoded meanings. Example: We%20alerted%20our%20team%20to%20the%20issue.%20We%20apologize%20for%20this%20inconvenience.%20Please%20try%20again%20later.

Based on the above link's examples, I tried the following:

| replace "%20" with " " in errorMessage | top errorMessage

The search runs but I still have these characters in my errorMessage field. Eventually I'll want something like this:

| replace "%20" with " ", "%2C" with ",", "%27" with "'" in field1 field2 field3

What am I doing wrong?

Tags (4)
0 Karma
Reply
Highlighted

Re: replace - search reference command questions

davecroto
Splunk Employee
Splunk Employee
‎08-09-2013 08:13 AM

Common issue, use sed mode in rex

Example

rex field=ccnumber mode=sed "s/(\d{4}-){4}/XXXX-XXXX-XXXX-XXXX/g".

Reply
Highlighted

Re: replace - search reference command questions

jluste
Path Finder
‎08-09-2013 08:37 AM

I've figured out another solution that works for this specific example. using eval and the urldecode() function.

I did a ... | eval field1=urldecode(field1) and this works perfectly fine for me. Only issue is that I have to explicitly identify fields rather than have all fields taken care of at once. I tried doing a ... | eval _raw=urldecode(_raw) but this only works for the raw results and doesn't get updated to the splunk auto or manually extracted fields. D'oh!

Thanks!

0 Karma
Reply