Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Re: Help on removing the double quotes and reading a substring

manojchacko78
Path Finder
‎09-30-2022 01:35 AM

Hi @gcusello 

Need one more help, from the below log, i am able to remove all the wild characters using below script, but need to retain the commas in the texts (in italics) between  Message and Details, similarly for Message and Success

Appreciate the help

| eval "EM"=if(isnotnull('cip:AuditMessage.MessageText'),'cip:AuditMessage.MessageText',"Data Not Found")
| rex field=EM max_match=0 "(?<ErrMes>\w+)"
| eval ErrorMessage = mvjoin (ErrMes, " ")
| rex field=ErrorMessage Message\s+(?<ErrorResponse>.*)\s+Details\s+Message\s+(?<ErrorResponse2>.*)\s+Success

{"@odata.context":"https://apistaging.payspace.com/odata/v1.0/11997/$metadata#Employee/$entity","Message":"The Nationality field is required., The Province field is required., The Code field is required., The Country field is required.","Details":[{"Message":"The Nationality field is required."},{"Message":"The Province field is required."},{"Message":"The Code field is required."},{"Message":"The Country field is required."}],"Success":false}

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2022 03:25 AM

Hi @manojchacko78,

let me understand: you want to remove commas having one message field or you want four messages?

in the first case, you can use replace

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details"
| replace "," WITH ""

if instead you want four messages you have to use two regexes, please try this regex:

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details"
| rex field=Full_Message "((^)|(,\s+))(?<Message>[^\.]+)"

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2022 01:56 AM

Hi @manojchacko78,

this isn't naother question, anyway, could you share the desidered output?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎09-30-2022 03:43 AM

I have moved the post to new post. 

@manojchacko78  please ask new questions in separate posts. 

 

regards,

Singhk

0 Karma
Reply
Solved! Jump to solution

manojchacko78
Path Finder
‎09-30-2022 02:39 AM

Hi @gcusello 

Thanks for the reply

This is what i am getting as raw

{"@odata.context":"https://url.com","Message":"The Nationality field is required., The Province field is required., The Code field is required., The Country field is required.","Details":[{"Message":"The Nationality field is required."},{"Message":"The Province field is required."},{"Message":"The Code field is required."},{"Message":"The Country field is required."}],"Success":false}

Now the bold text above is the desired output i am trying to extract. This bold texts always comes between these two words Message":" and ","Details

Kindly advise

 

0 Karma
Reply
Solved! Jump to solution

manojchacko78
Path Finder
‎09-30-2022 03:13 AM

Now as the below code, all the wild characters are removed

| eval "EM"=if(isnotnull('cip:AuditMessage.MessageText'),'cip:AuditMessage.MessageText',"Data Not Found")
| rex field=EM max_match=0 "(?<ErrMes>\w+)"
| eval ErrorMessage = mvjoin (ErrMes, " ")
| rex field=ErrorMessage Message\s+(?<ErrorResponse>.*)\s+Details

I am getting the extracted message, so these are basically 4 error messages separated by commas, but since i am removing all the wild characters the comma is gone. So the commas should be extracted as it is

The Nationality field is required The Province field is required The Code field is required The Country field is required

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2022 03:25 AM

Hi @manojchacko78,

let me understand: you want to remove commas having one message field or you want four messages?

in the first case, you can use replace

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details"
| replace "," WITH ""

if instead you want four messages you have to use two regexes, please try this regex:

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details"
| rex field=Full_Message "((^)|(,\s+))(?<Message>[^\.]+)"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

manojchacko78
Path Finder
‎09-30-2022 05:12 AM

This one worked like a gem

| rex "\"Message\":\"(?<Full_Message>[^\"]+)\",\"Details"

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2022 03:00 AM

Hi @manojchacko78,

please try thi regex:

\"Message\":\"(?<Message>[^\"]+)\",\"Details

that you can test at https://regex101.com/r/8zMJIf/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...