Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy
Explorer
‎08-17-2016 10:16 AM

Hello,

Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been able to identify any relevant posts elsewhere...

I've got a simple chart I'm trying to modify. Basically, it looks at a syslog message and charts the top 10 'x' based on the number of messages that have been generated.

Pseudo-search-code looks like:

Interesting_String_Value | top 10 field19

Now, what comes out of it is a chart (top 10) as you would expect, but the values look like:

field-description="actual_value"

I want to remove all pieces except for the actual_value (including quotations)

I'd assume I could handle this via rex mode=sed, but I'm not having any luck...

rex mode=sed 's/field-description\=//g;s/\"//g'

Help? : )

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-17-2016 08:11 PM

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought - 

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment - 

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-17-2016 08:11 PM

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought - 

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment - 

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-17-2016 08:20 PM

Good point. I believe field19 has the values

Interesting_String_Value | top 10 field19 | rev field=field19 "\"(?<field19>[^\"]+)\""
Reply
Solved! Jump to solution

NuMPTy
Explorer
‎08-18-2016 06:35 AM

Sundareshr's worked! Thank you!

Do you want to pop that into an answer for credit?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-18-2016 07:21 AM

Yes Please 😉 .. an upvote and/or accept as answer would be Great !

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

NuMPTy
Explorer
‎08-18-2016 08:40 AM

Not seeing a way to do this for a comment - maybe if you repost it as a top-level answer?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-18-2016 09:20 AM

not this comment.. this whole reply, you can "Accept this as answer".. also the upvote button(^)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

NuMPTy
Explorer
‎08-18-2016 06:35 AM

(obviously substituted 'rev' for 'rex'

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-17-2016 11:05 AM

Try this (wasn't sure if you wanted to keep the quotes or remove, this removes the quotes. 

.. | rex mode=sed "s/.*"([^"]+)"/$1/g" | ...

OR this, if you want to retain the quotes

... | rex mode=sed "s/.*("[^"]+")/$1/g" | ...
Reply
Solved! Jump to solution

NuMPTy
Explorer
‎08-17-2016 11:17 AM

I get some...interesting errors with both of those.

I'd like to have the output in the chart be:

actual_value

instead of

field-description="actual_value"

Error in 'SearchParser': Missing a search command before '^'.
where field19 != "...{snipped} {errorcontext = d "s/.*"([^"]+)"/$1/g}'.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-17-2016 07:29 PM

My bad. Forgot to escape the quotes. Try this

... | rex mode=sed "s/.*\"([^\"]+)\"/\1/g"
0 Karma
Reply
Solved! Jump to solution

NuMPTy
Explorer
‎08-18-2016 06:32 AM

Sorry, I should have caught that as well. This one runs, but the end result is still the same in the chart 😞

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2016 10:56 AM

I suspect you need two separate commands. Try this

... | rex mode=sed 's/field-description\=//g' | rex mode=sed 's/\"//g' | ...

or

... | replace "field-description=" with "" in field19 | replace '"' with '' in field19 | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

NuMPTy
Explorer
‎08-17-2016 11:06 AM

Sadly both seem to have the same effect... (nothing). field-description="" is still there. Even trying just 'field-description' removal doesn't seem to work.

Thanks for the help,

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...