Re: Remove double quotes and slashes from the fie...

Rukmani_Splunk · ‎07-07-2021

i am having field like this below.

message :"{"\payement":"xxx", "\account:" xxx"}"

I want the first and last quote .. How to remove that

ITWhisperer · ‎07-08-2021

| rex mode=sed field=_raw "s/message :\"\{(.*)\}\"/message :\{\1\}/g"

Rukmani_Splunk · ‎07-08-2021

Thank you so much .. but it didnt help may be issue with data

Thanks a lot

venkatasri · ‎07-08-2021

Yes it works for your sample provided starts with message , you can tune regex to match with your data approach remains same..

venkatasri · ‎07-07-2021

Hi @Rukmani_Splunk Can you try following, you can replace _raw with field name that you said.

<your_search_goes_here>
| rex mode=sed field=_raw "s/message :\"(.*)\"/message :\1/g" 
| eval clean_text=replace(_raw, "\\\\", "")

Output would be in field called clean_text here,

message :{"payement":"xxx", "account:" xxx"}

---

An upvote would be appreciated and Accept solution if this reply helps!

Remove double quotes and slashes from the field