Solved: Re: How do I remove a double inverted comma from a...

maheshsat · ‎11-26-2018

I have to remove a double inverted comma from a value.

Query:

| rex "(.Item=(?[^\,]+))"| rex "(.Reserved1=(?[^\,]+))" | rex "(.Reserved2=(?[^\,]+))" | rex "(.Type=(?[^\,]+))" | rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?\"\d+\.\d+\")\,\s+\w+\s+.*"
|rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?\"\d+\.\d+\")\,\s+\w+\s+.*"

I have to remove the double inverted comma from value below. I have written the above query, but the double inverted comma is not getting removed.

Output:

Line_Item            “TFT Details Member” 
LG_Reserved1      “000000 “  
LG_Reserved2      “0000”  
Balance_Test         “Test“ 
Balance_Entered   “1238996555” 
Balance_Test         “8487347327473”

Richfez · ‎11-26-2018

You should be able to move those quote marks outside the capture group.

The capture group is (?<Balance_Test>\"\d+\.\d+\") so move the quotes outside, like \"(?<Balance_Test>\d+\.\d+)\". Repeat with Balance_Entered.

View solution in original post

maheshsat · ‎11-26-2018

Can you reply your answer again , I have to accept your answer

Richfez · ‎11-26-2018

You should be able to move those quote marks outside the capture group.

The capture group is (?<Balance_Test>\"\d+\.\d+\") so move the quotes outside, like \"(?<Balance_Test>\d+\.\d+)\". Repeat with Balance_Entered.

maheshsat · ‎11-26-2018

Its workes Thanks really appreciate Rich

maheshsat · ‎11-26-2018

I was able to find out answer but still two field are remaining Balance_Entered & Balance_Test

| rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?<Balance_Entered>\"\d+\.\d+\")\,\s+\w+\s+.*"
|rex field=_raw "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\.\d+\,\s+\w+.*(?<Balance_Test>\"\d+\.\d+\")\,\s+\w+\s+.*"

I got the answer below is the query but still last two fields

Balance_Entered “1238996555”
Balance_Test “8487347327473”

Richfez · ‎12-02-2018

Is this still an issue?

If I were you, I would head to regex101.com, paste into the bottom a couple of your events where this data is.
Then on the top, start with your first piece of your regex: \d+, see how it matches, then keep adding in the above until you find where it breaks or does the wrong thing. It's a methodical way to uncover small mistakes, and also helps a lot in understanding your regex.

Or post a handful of those events in here and we can match them for you.

FrankVl · ‎11-26-2018

This still doesn't make a whole lot of sense to me. Your regex to capture those 2 fields says \"\d+\.\d+\" so double quote, followed by numbers, followed by a dot, followed by more numbers, followed by a double quote.

That doesn't line up with the data you are showing (data doesn't include any dots) and it also doesn't make sense to capture the double quotes if that was the thing you wanted to get rid of.

Richfez · ‎11-26-2018

Also EDIT: I fixed the non-code to not use the code tags, so it looks better. 🙂

Richfez · ‎11-26-2018

EDIT: I fixed the code to use the code tags, so it should come across now.

FrankVl · ‎11-26-2018

Apart from any characters that had already disappeared like anything between <>. @maheshsat needs to really repost it himself. As he did in the answer below.

FrankVl · ‎11-26-2018

Can you please edit your question and post your code as code (using the 101010 button in the editor toolbar). Now it seems certain special characters are missing from your regular expressions.

In general it is not entirely clear looking at the rex commands your provide and the sample data, how these two align and what exact code is your attempt to remove the double quotes.

I believe there are multiple actual characters to represent ", so make sure you use the correct one.

How do I remove a double inverted comma from a value?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life