Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove specific substrings from specific values

techspec
Explorer
‎10-08-2020 05:24 PM

I have a query that looks for certain error messages and displays a list sorted by most common occurrence. My problem is that some of these error messages contain unique IDs, causing them to show as separate results.

The first 3 messages below end with unique values - how do I update this query to output those error messages without the unique values after the * mark, or even replace with another string like "redacted"?

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0 
  (
    extraData.message="Incorrect email or password for*"  OR
    extraData.message="Street address and/or city is too long*" OR
    extraData.message="The following address could not be found:*" OR
    extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
    extraData.message="The network connection was lost."
  )  
| stats count by extraData.message | sort -count

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pathik
Path Finder
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pathik
Path Finder
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

0 Karma
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 11:33 AM

Thanks - what you suggested makes sense, but I used it exactly as you showed and get "no results found": 

Screen Shot 2020-10-09 at 11.32.57 AM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:46 AM
With like you must use % and _ instead of *
https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/ConditionalFunctions
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 12:36 PM

Thanks - still no luck. Even tried on an error message with no wildcards, just a simple match and replace:

Screen Shot 2020-10-09 at 12.34.49 PM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:03 PM
Try to put ‘ surround your field names.
Reply
Solved! Jump to solution

techspec
Explorer
‎10-10-2020 08:52 AM

That did it - thanks!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-08-2020 09:56 PM
Hi
Other option is use rex mode=sed
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
Top