How can I remove some parenthesis from this log?

daniel333 · ‎02-20-2018

All,

I am trying to convert some superfluous parenthesis from this log. Duration value can be up to 4 digits.

Looks like
1/2/2017 12:34 severity=INFO post call (duration=5)

What I want
1/2/2017 12:34 severity=INFO post call duration=5

Here is what I got so far, but not clicking.
SEDCMD-log4jwild_fix_duration_parenth = s/((duration=(0-9)*))/\1/

Any ideas?

mayurr98 · ‎02-20-2018

Try this run anywhere search, below will look only for duration fieldand remove the brackets from duration field only.

| makeresults 
| eval data="1/2/2017 12:34 severity=INFO post call (duration=5)" 
| rex field=data mode=sed "s/\((duration=[^\)]+)\)/\1/"

Here is what you should write in your environment:

SEDCMD-log4jwild_fix_duration_parenth = s/\((duration=[^\)]+)\)/\1/

let me know if this helps!

ddrillic · ‎02-20-2018

What about a sed command which would replace either ( or ) with nothing?

493669 · ‎02-20-2018

have you tried below answer.. it will remove ( and )

493669 · ‎02-20-2018

Try this:

SEDCMD-log4jwild_fix_duration_parenth = s/([^\(]+)\(([^\)]+)\)/\1\2/

Join the Conversation