Splunk Search

How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy
Explorer

Hello,

Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been able to identify any relevant posts elsewhere...

I've got a simple chart I'm trying to modify. Basically, it looks at a syslog message and charts the top 10 'x' based on the number of messages that have been generated.

Pseudo-search-code looks like:

Interesting_String_Value | top 10 field19

Now, what comes out of it is a chart (top 10) as you would expect, but the values look like:

field-description="actual_value"

I want to remove all pieces except for the actual_value (including quotations)

I'd assume I could handle this via rex mode=sed, but I'm not having any luck...

rex mode=sed 's/field-description\=//g;s/\"//g'

Help? : )

0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

sundareshr
Legend

Good point. I believe field19 has the values

Interesting_String_Value | top 10 field19 | rev field=field19 "\"(?<field19>[^\"]+)\""

NuMPTy
Explorer

Sundareshr's worked! Thank you!

Do you want to pop that into an answer for credit?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Yes Please 😉 .. an upvote and/or accept as answer would be Great !

NuMPTy
Explorer

Not seeing a way to do this for a comment - maybe if you repost it as a top-level answer?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

not this comment.. this whole reply, you can "Accept this as answer".. also the upvote button(^)

NuMPTy
Explorer

(obviously substituted 'rev' for 'rex'

0 Karma

sundareshr
Legend

Try this (wasn't sure if you wanted to keep the quotes or remove, this removes the quotes.

.. | rex mode=sed "s/.*"([^"]+)"/$1/g" | ...

OR this, if you want to retain the quotes

... | rex mode=sed "s/.*("[^"]+")/$1/g" | ...

NuMPTy
Explorer

I get some...interesting errors with both of those.

I'd like to have the output in the chart be:

actual_value

instead of

field-description="actual_value"

Error in 'SearchParser': Missing a search command before '^'.
where field19 != "...{snipped} {errorcontext = d "s/.*"([^"]+)"/$1/g}'.

0 Karma

sundareshr
Legend

My bad. Forgot to escape the quotes. Try this

... | rex mode=sed "s/.*\"([^\"]+)\"/\1/g"
0 Karma

NuMPTy
Explorer

Sorry, I should have caught that as well. This one runs, but the end result is still the same in the chart 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suspect you need two separate commands. Try this

... | rex mode=sed 's/field-description\=//g' | rex mode=sed 's/\"//g' | ...

or

... | replace "field-description=" with "" in field19 | replace '"' with '' in field19 | ...
---
If this reply helps you, Karma would be appreciated.

NuMPTy
Explorer

Sadly both seem to have the same effect... (nothing). field-description="" is still there. Even trying just 'field-description' removal doesn't seem to work.

Thanks for the help,

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...