Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove double quotes from events ?

sivakumargik
New Member
‎11-18-2019 08:19 AM

sample event

"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 11:38 AM 
| makeresults 
| eval raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\"" 
| rename COMMENT AS "this is sample data" 
| makemv delim="," raw 
| mvexpand raw 
| eval tmp=1 
| xyseries tmp raw _time 
| fields - tmp 
| rename COMMENT AS "this is sample data" 
| rename \"*\" as *

I tried to remove double quotes for field names.

0 Karma
Reply

mayurr98
Super Champion
‎11-18-2019 10:06 AM

the easiest way to do at index time is by using SEDCMD script:
This is run anywhere search to test the script:

| makeresults 
| eval _raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\"" 
| rex mode=sed "s/\"(\w+)\"/\1/g"

You would need to do this using CLI:

1) On the machine that runs Splunk Enterprise, create a props.conf in the $SPLUNK_HOME/etc/system/local directory. If the file already exists, proceed to the next step.
2) Open $SPLUNK_HOME/etc/system/local/props.conf with a text editor.
3) Add the following stanza to reference the transform that you created in inputs.conf to do the masking transformation.

[your_sourcetype]
SEDCMD-remove_dquotes= s/\"(\w+)\"/\1/g

Save the file and close it.
Restart Splunk Enterprise.
0 Karma
Reply

rajashaey
Explorer
‎11-16-2022 12:13 AM

Hi,

please specify what to insert in Transforms.conf

0 Karma
Reply

sivakumargik
New Member
‎11-18-2019 10:15 AM

Hey Mayur,

The data is already ingested. I would need to do this in search time.

and the below is just the field names but there are around 100k events with actual data in which i need to extract the data without the double quotes

"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"

0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 09:53 AM 
| makeresults
| eval _raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\""
| rename COMMENT AS "this is sample data"
| eval _raw=replace(_raw,"\"","")

Hi, how about it?

0 Karma
Reply

sivakumargik
New Member
‎11-18-2019 10:16 AM

the below is just the field names but there are around 100k events with actual data in which i need to extract the data without the double quotes

"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...