Splunk Search

How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy
Explorer

Hello,

Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been able to identify any relevant posts elsewhere...

I've got a simple chart I'm trying to modify. Basically, it looks at a syslog message and charts the top 10 'x' based on the number of messages that have been generated.

Pseudo-search-code looks like:

Interesting_String_Value | top 10 field19

Now, what comes out of it is a chart (top 10) as you would expect, but the values look like:

field-description="actual_value"

I want to remove all pieces except for the actual_value (including quotations)

I'd assume I could handle this via rex mode=sed, but I'm not having any luck...

rex mode=sed 's/field-description\=//g;s/\"//g'

Help? : )

0 Karma
1 Solution

inventsekar
Ultra Champion

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

View solution in original post

inventsekar
Ultra Champion

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

sundareshr
Legend

Good point. I believe field19 has the values

Interesting_String_Value | top 10 field19 | rev field=field19 "\"(?<field19>[^\"]+)\""

NuMPTy
Explorer

Sundareshr's worked! Thank you!

Do you want to pop that into an answer for credit?

0 Karma

inventsekar
Ultra Champion

Yes Please 😉 .. an upvote and/or accept as answer would be Great !

NuMPTy
Explorer

Not seeing a way to do this for a comment - maybe if you repost it as a top-level answer?

0 Karma

inventsekar
Ultra Champion

not this comment.. this whole reply, you can "Accept this as answer".. also the upvote button(^)

NuMPTy
Explorer

(obviously substituted 'rev' for 'rex'

0 Karma

sundareshr
Legend

Try this (wasn't sure if you wanted to keep the quotes or remove, this removes the quotes.

.. | rex mode=sed "s/.*"([^"]+)"/$1/g" | ...

OR this, if you want to retain the quotes

... | rex mode=sed "s/.*("[^"]+")/$1/g" | ...

NuMPTy
Explorer

I get some...interesting errors with both of those.

I'd like to have the output in the chart be:

actual_value

instead of

field-description="actual_value"

Error in 'SearchParser': Missing a search command before '^'.
where field19 != "...{snipped} {errorcontext = d "s/.*"([^"]+)"/$1/g}'.

0 Karma

sundareshr
Legend

My bad. Forgot to escape the quotes. Try this

... | rex mode=sed "s/.*\"([^\"]+)\"/\1/g"
0 Karma

NuMPTy
Explorer

Sorry, I should have caught that as well. This one runs, but the end result is still the same in the chart 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suspect you need two separate commands. Try this

... | rex mode=sed 's/field-description\=//g' | rex mode=sed 's/\"//g' | ...

or

... | replace "field-description=" with "" in field19 | replace '"' with '' in field19 | ...
---
If this reply helps you, Karma would be appreciated.

NuMPTy
Explorer

Sadly both seem to have the same effect... (nothing). field-description="" is still there. Even trying just 'field-description' removal doesn't seem to work.

Thanks for the help,

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...