Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to remove double quotes from events ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to remove double quotes from events ?
sample event
"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\""
| rename COMMENT AS "this is sample data"
| makemv delim="," raw
| mvexpand raw
| eval tmp=1
| xyseries tmp raw _time
| fields - tmp
| rename COMMENT AS "this is sample data"
| rename \"*\" as *
I tried to remove double quotes for field names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the easiest way to do at index time is by using SEDCMD script:
This is run anywhere search to test the script:
| makeresults
| eval _raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\""
| rex mode=sed "s/\"(\w+)\"/\1/g"
You would need to do this using CLI:
1) On the machine that runs Splunk Enterprise, create a props.conf in the $SPLUNK_HOME/etc/system/local directory. If the file already exists, proceed to the next step.
2) Open $SPLUNK_HOME/etc/system/local/props.conf with a text editor.
3) Add the following stanza to reference the transform that you created in inputs.conf to do the masking transformation.
[your_sourcetype]
SEDCMD-remove_dquotes= s/\"(\w+)\"/\1/g
Save the file and close it.
Restart Splunk Enterprise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
please specify what to insert in Transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Mayur,
The data is already ingested. I would need to do this in search time.
and the below is just the field names but there are around 100k events with actual data in which i need to extract the data without the double quotes
"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\""
| rename COMMENT AS "this is sample data"
| eval _raw=replace(_raw,"\"","")
Hi, how about it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the below is just the field names but there are around 100k events with actual data in which i need to extract the data without the double quotes
"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
