Splunk Search

Remove double quotes and slashes from the field

Rukmani_Splunk
Path Finder

i  am having field like this below.

 

message :"{"\payement":"xxx", "\account:" xxx"}"

 

I  want  the  first  and last  quote .. How to  remove that

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex mode=sed field=_raw "s/message :\"\{(.*)\}\"/message :\{\1\}/g" 
0 Karma

Rukmani_Splunk
Path Finder

Thank you  so  much  .. but  it didnt  help  may  be issue with  data

 

Thanks a lot

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Yes it works for your sample provided starts with message , you can tune regex to match with your data approach remains same.. 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Rukmani_Splunk  Can you try following, you can replace _raw with field name that you said.

 

<your_search_goes_here>
| rex mode=sed field=_raw "s/message :\"(.*)\"/message :\1/g" 
| eval clean_text=replace(_raw, "\\\\", "")

 

  Output would be in field called clean_text here,

   

 

message :{"payement":"xxx", "account:" xxx"}

 

---

An upvote would be appreciated and Accept solution if  this reply helps!

Tags (3)
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!