Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove double quotes from events ?

sivakumargik
New Member
‎11-18-2019 08:19 AM

sample event

"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 11:38 AM 
| makeresults 
| eval raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\"" 
| rename COMMENT AS "this is sample data" 
| makemv delim="," raw 
| mvexpand raw 
| eval tmp=1 
| xyseries tmp raw _time 
| fields - tmp 
| rename COMMENT AS "this is sample data" 
| rename \"*\" as *

I tried to remove double quotes for field names.

0 Karma
Reply

mayurr98
Super Champion
‎11-18-2019 10:06 AM

the easiest way to do at index time is by using SEDCMD script:
This is run anywhere search to test the script:

| makeresults 
| eval _raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\"" 
| rex mode=sed "s/\"(\w+)\"/\1/g"

You would need to do this using CLI:

1) On the machine that runs Splunk Enterprise, create a props.conf in the $SPLUNK_HOME/etc/system/local directory. If the file already exists, proceed to the next step.
2) Open $SPLUNK_HOME/etc/system/local/props.conf with a text editor.
3) Add the following stanza to reference the transform that you created in inputs.conf to do the masking transformation.

[your_sourcetype]
SEDCMD-remove_dquotes= s/\"(\w+)\"/\1/g

Save the file and close it.
Restart Splunk Enterprise.
0 Karma
Reply

rajashaey
Explorer
‎11-16-2022 12:13 AM

Hi,

please specify what to insert in Transforms.conf

0 Karma
Reply

sivakumargik
New Member
‎11-18-2019 10:15 AM

Hey Mayur,

The data is already ingested. I would need to do this in search time.

and the below is just the field names but there are around 100k events with actual data in which i need to extract the data without the double quotes

"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"

0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 09:53 AM 
| makeresults
| eval _raw="\"USR_LOGIN\",\"USR_EMP_NO\",\"USR_LAST_NAME\",\"USR_FIRST_NAME\",\"USR_DISPLAY_NAME\",\"USR_STATUS\",\"USR_EMAIL\",\"USR_TRANSIT\",\"USR_EMPLOYEEMANAGER\",\"USR_IDENTITYSECURITYID\",\"USR_UDF_EMPLOYER\",\"USR_EMPLOYERCODE\""
| rename COMMENT AS "this is sample data"
| eval _raw=replace(_raw,"\"","")

Hi, how about it?

0 Karma
Reply

sivakumargik
New Member
‎11-18-2019 10:16 AM

the below is just the field names but there are around 100k events with actual data in which i need to extract the data without the double quotes

"USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL","USR_TRANSIT","USR_EMPLOYEEMANAGER","USR_IDENTITYSECURITYID","USR_UDF_EMPLOYER","USR_EMPLOYERCODE"

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...