Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: How do I remove a double inverted comma from a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to remove a double inverted comma from a value.
Query:
| rex "(.Item=(?[^\,]+))"| rex "(.Reserved1=(?[^\,]+))" | rex "(.Reserved2=(?[^\,]+))" | rex "(.Type=(?[^\,]+))" | rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?\"\d+\.\d+\")\,\s+\w+\s+.*"
|rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?\"\d+\.\d+\")\,\s+\w+\s+.*"
I have to remove the double inverted comma from value below. I have written the above query, but the double inverted comma is not getting removed.
Output:
Line_Item “TFT Details Member”
LG_Reserved1 “000000 “
LG_Reserved2 “0000”
Balance_Test “Test“
Balance_Entered “1238996555”
Balance_Test “8487347327473”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to move those quote marks outside the capture group.
The capture group is (?<Balance_Test>\"\d+\.\d+\") so move the quotes outside, like \"(?<Balance_Test>\d+\.\d+)\". Repeat with Balance_Entered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you reply your answer again , I have to accept your answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to move those quote marks outside the capture group.
The capture group is (?<Balance_Test>\"\d+\.\d+\") so move the quotes outside, like \"(?<Balance_Test>\d+\.\d+)\". Repeat with Balance_Entered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its workes Thanks really appreciate Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to find out answer but still two field are remaining Balance_Entered & Balance_Test
| rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?<Balance_Entered>\"\d+\.\d+\")\,\s+\w+\s+.*"
|rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?<Balance_Test>\"\d+\.\d+\")\,\s+\w+\s+.*"
I got the answer below is the query but still last two fields
Balance_Entered “1238996555”
Balance_Test “8487347327473”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this still an issue?
If I were you, I would head to regex101.com, paste into the bottom a couple of your events where this data is.
Then on the top, start with your first piece of your regex: \d+, see how it matches, then keep adding in the above until you find where it breaks or does the wrong thing. It's a methodical way to uncover small mistakes, and also helps a lot in understanding your regex.
Or post a handful of those events in here and we can match them for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This still doesn't make a whole lot of sense to me. Your regex to capture those 2 fields says \"\d+\.\d+\" so double quote, followed by numbers, followed by a dot, followed by more numbers, followed by a double quote.
That doesn't line up with the data you are showing (data doesn't include any dots) and it also doesn't make sense to capture the double quotes if that was the thing you wanted to get rid of.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also EDIT: I fixed the non-code to not use the code tags, so it looks better. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT: I fixed the code to use the code tags, so it should come across now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apart from any characters that had already disappeared like anything between <>. @maheshsat needs to really repost it himself. As he did in the answer below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please edit your question and post your code as code (using the 101010 button in the editor toolbar). Now it seems certain special characters are missing from your regular expressions.
In general it is not entirely clear looking at the rex commands your provide and the sample data, how these two align and what exact code is your attempt to remove the double quotes.
I believe there are multiple actual characters to represent ", so make sure you use the correct one.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
