Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how do I remove the single quotes from my key value pairs,how to remove single quotes from a key value pair

jyothiadobe
New Member
‎05-03-2019 07:18 AM

I have a logs like below and this is not a JSON logs, indexing through HEC.

Key1='value1' Key2='value'

how do I remove this single quotes from value?

Regards,
Thippesh

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-03-2019 08:52 AM

you can do in few ways
1. At indextime, completely remove this before indexing. May not be good if you want to keep "pure" source data
2. replace all single quotes in _raw message using rex | rex mode=sed "y/\=\'/\=/"| rex mode=sed "y/\'\s/\s/"
3. Do individual replacement of key-value | eval key1=replace(key1,"\'"."")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-04-2019 12:23 PM

Assuming that search-time is OK, like this:

|makeresults | eval "'foo'" = "'bar'"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| foreach "'*'" [rex mode=sed field="<<FIELD>>" "s/^'// s/'$//"]
| rename "'*'" AS "*"
0 Karma
Reply
Solved! Jump to solution

jyothiadobe
New Member
‎05-05-2019 11:59 PM

Hi woodcock,

Thanks for the answer, would like to know how I can fix this in index time so that I no need to do this for each search.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-11-2019 09:58 PM

In order to do that, you MUST show us a sample event. Why do OPs so rarely share sample events?

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-03-2019 08:52 AM

you can do in few ways
1. At indextime, completely remove this before indexing. May not be good if you want to keep "pure" source data
2. replace all single quotes in _raw message using rex | rex mode=sed "y/\=\'/\=/"| rex mode=sed "y/\'\s/\s/"
3. Do individual replacement of key-value | eval key1=replace(key1,"\'"."")

0 Karma
Reply
Solved! Jump to solution

jyothiadobe
New Member
‎05-05-2019 11:59 PM

Hi koshyk,

Thanks for the answer, would like to know how I can fix this in index time so that I no need to do this for each search.

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-06-2019 11:30 AM

If you want in indextime, you can do in two ways

  1. Just using props.conf

    [myQuoteSourcetype]
    SEDCMD-singleQuotedData = s/(\w+)=\'([^\']+)/\1=\2/g

Please try and test your regex properly

  1. Using props and Transforms (In case if you want to re-use in multiple sourcetypes)

In props.conf

[myQuoteSourcetype]
TRANSFORMS-removeSingleQuotedKeys = removeSingleQuotedKeys

In transforms.conf

[removeSingleQuotedKeys]
REGEX = (\w+)=(?:\'?)([^\']+)(?:\'?)\s
FORMAT = $1:$2\s
DEST_KEY = _raw

I've tested sample data Regex I've put into below link:
https://regex101.com/r/4caTBy/1

But of course, you need to fine tune your regex

(Please upvote/accept, if it worked. Cheers)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...