Splunk Search
Highlighted

Ignore or Remove characters from search results

Contributor

I have a need to ignore specific characters in my search results. I'm assuming this can be done with REGEX or something similar. Here is an example of what I need:
Current results:

news%20article
article%20about%20stuff
2014%20white%20paper.pdf

What I need it to look like is:

news article
article about stuff
2014 white paper.pdf

Is this possible? If so can someone point me in the right direction?
Thanks!

Tags (2)
Highlighted

Re: Ignore or Remove characters from search results

SplunkTrust
SplunkTrust

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: Ignore or Remove characters from search results

SplunkTrust
SplunkTrust

you beat me, I was typing for too long 🙂

0 Karma
Highlighted

Re: Ignore or Remove characters from search results

Contributor

This worked! Thank you!

0 Karma
Highlighted

Re: Ignore or Remove characters from search results

Explorer

@richgalloway how to replace mutiple characters separately using this or any other method. I want to replace both "abc" and "def" from the same field message

0 Karma
Highlighted

Re: Ignore or Remove characters from search results

SplunkTrust
SplunkTrust

@ashimae, It's better to ask a new question than to add on to a old question with an accepted answer.

Have you tried using this same method with your data?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Ignore or Remove characters from search results

Communicator

Nice! Worked well!

0 Karma
Highlighted

Re: Ignore or Remove characters from search results

SplunkTrust
SplunkTrust

Hi hagjos43,

Yes it is possible, try something like this:

... | rex mode=sed "s/\%20/ /g"

this will search for all %20 and replace it by a blank

hope this helps ...

cheers, MuS

0 Karma
Highlighted

Re: Ignore or Remove characters from search results

New Member

I am facing similar issue:

O/p
REFUSALREASON count
":"04 : Capture card"," 24
":"05 : Do not honor"," 277
":"07 : Pickup card, special condition"," 7
":"12 : Invalid transaction"," 56
":"14 : Invalid card number","

Expected O/p
04 : Capture card
05 : Do not honor
07 : Pickup card, special condition
12 : Invalid transaction
14 : Invalid card number

Query i am using:
"ADYEN JSON NOTIFICATION DATA" ("eventCode":"AUTHORISATION") ("merchantOrderReference":"AP") AND NOT Approved
| rex field=_raw "refusalReasonRaw(?.
)billingAddress.stateOrProvince(?.*)" | stats count by REFUSALREASON

after refusalReasonRaw in the bracket, it is REFUSALREASON
after billingAddress.stateOrProvince in the bracket, it is Msg
I want expected o/p but somehow I am not able to figure out please help me!

0 Karma