Solved: How to edit my rex mode=sed syntax to remove parts...

NuMPTy · ‎08-17-2016

Hello,

Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been able to identify any relevant posts elsewhere...

I've got a simple chart I'm trying to modify. Basically, it looks at a syslog message and charts the top 10 'x' based on the number of messages that have been generated.

Pseudo-search-code looks like:

Interesting_String_Value | top 10 field19

Now, what comes out of it is a chart (top 10) as you would expect, but the values look like:

field-description="actual_value"

I want to remove all pieces except for the actual_value (including quotations)

I'd assume I could handle this via rex mode=sed, but I'm not having any luck...

rex mode=sed 's/field-description\=//g;s/\"//g'

Help? : )

inventsekar · ‎08-17-2016

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

View solution in original post

inventsekar · ‎08-17-2016

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

sundareshr · ‎08-17-2016

Good point. I believe field19 has the values

Interesting_String_Value | top 10 field19 | rev field=field19 "\"(?<field19>[^\"]+)\""

NuMPTy · ‎08-18-2016

Sundareshr's worked! Thank you!

Do you want to pop that into an answer for credit?

inventsekar · ‎08-18-2016

Yes Please 😉 .. an upvote and/or accept as answer would be Great !

NuMPTy · ‎08-18-2016

Not seeing a way to do this for a comment - maybe if you repost it as a top-level answer?

inventsekar · ‎08-18-2016

not this comment.. this whole reply, you can "Accept this as answer".. also the upvote button(^)

NuMPTy · ‎08-18-2016

(obviously substituted 'rev' for 'rex'

sundareshr · ‎08-17-2016

Try this (wasn't sure if you wanted to keep the quotes or remove, this removes the quotes.

.. | rex mode=sed "s/.*"([^"]+)"/$1/g" | ...

OR this, if you want to retain the quotes

... | rex mode=sed "s/.*("[^"]+")/$1/g" | ...

NuMPTy · ‎08-17-2016

I get some...interesting errors with both of those.

I'd like to have the output in the chart be:

actual_value

instead of

field-description="actual_value"

Error in 'SearchParser': Missing a search command before '^'.
where field19 != "...{snipped} {errorcontext = d "s/.*"([^"]+)"/$1/g}'.

sundareshr · ‎08-17-2016

My bad. Forgot to escape the quotes. Try this

... | rex mode=sed "s/.*\"([^\"]+)\"/\1/g"

NuMPTy · ‎08-18-2016

Sorry, I should have caught that as well. This one runs, but the end result is still the same in the chart 😞

richgalloway · ‎08-17-2016

I suspect you need two separate commands. Try this

... | rex mode=sed 's/field-description\=//g' | rex mode=sed 's/\"//g' | ...

or

... | replace "field-description=" with "" in field19 | replace '"' with '' in field19 | ...

---
If this reply helps you, Karma would be appreciated.

NuMPTy · ‎08-17-2016

Sadly both seem to have the same effect... (nothing). field-description="" is still there. Even trying just 'field-description' removal doesn't seem to work.

Thanks for the help,

How to edit my rex mode=sed syntax to remove parts of a string value?

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud