Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ignore or Remove characters from search results

hagjos43
Contributor
‎04-25-2014 04:57 AM

I have a need to ignore specific characters in my search results. I'm assuming this can be done with REGEX or something similar. Here is an example of what I need:
Current results:

news%20article
article%20about%20stuff
2014%20white%20paper.pdf

What I need it to look like is:

news article
article about stuff
2014 white paper.pdf

Is this possible? If so can someone point me in the right direction?
Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 05:12 AM

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sanjeev_srivast
New Member
‎01-15-2019 09:31 AM

I am facing similar issue:

O/p
REFUSALREASON count
":"04 : Capture card"," 24
":"05 : Do not honor"," 277
":"07 : Pickup card, special condition"," 7
":"12 : Invalid transaction"," 56
":"14 : Invalid card number","

Expected O/p
04 : Capture card
05 : Do not honor
07 : Pickup card, special condition
12 : Invalid transaction
14 : Invalid card number

Query i am using:
"ADYEN JSON NOTIFICATION DATA" ("eventCode":"AUTHORISATION") ("merchantOrderReference":"AP*") AND NOT Approved
| rex field=_raw "refusalReasonRaw(?.)billingAddress.stateOrProvince(?.)" | stats count by REFUSALREASON

after refusalReasonRaw in the bracket, it is REFUSALREASON
after billingAddress.stateOrProvince in the bracket, it is Msg
I want expected o/p but somehow I am not able to figure out please help me!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-25-2014 05:14 AM

Hi hagjos43,

Yes it is possible, try something like this:

... | rex mode=sed "s/\%20/ /g"

this will search for all %20 and replace it by a blank

hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 05:12 AM

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

clintla
Contributor
‎08-06-2019 01:19 PM

Nice! Worked well!

0 Karma
Reply
Solved! Jump to solution

AshimaE
Explorer
‎07-06-2017 01:24 AM

@richgalloway how to replace mutiple characters separately using this or any other method. I want to replace both "abc" and "def" from the same field message

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2017 06:15 AM

@ashimae, It's better to ask a new question than to add on to a old question with an accepted answer.

Have you tried using this same method with your data?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

hagjos43
Contributor
‎04-25-2014 06:12 AM

This worked! Thank you!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-25-2014 05:15 AM

you beat me, I was typing for too long 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...