Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove specific substrings from specific values

techspec
Explorer
‎10-08-2020 05:24 PM

I have a query that looks for certain error messages and displays a list sorted by most common occurrence. My problem is that some of these error messages contain unique IDs, causing them to show as separate results.

The first 3 messages below end with unique values - how do I update this query to output those error messages without the unique values after the * mark, or even replace with another string like "redacted"?

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0 
  (
    extraData.message="Incorrect email or password for*"  OR
    extraData.message="Street address and/or city is too long*" OR
    extraData.message="The following address could not be found:*" OR
    extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
    extraData.message="The network connection was lost."
  )  
| stats count by extraData.message | sort -count

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pathik
Path Finder
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pathik
Path Finder
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

0 Karma
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 11:33 AM

Thanks - what you suggested makes sense, but I used it exactly as you showed and get "no results found": 

Screen Shot 2020-10-09 at 11.32.57 AM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:46 AM
With like you must use % and _ instead of *
https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/ConditionalFunctions
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 12:36 PM

Thanks - still no luck. Even tried on an error message with no wildcards, just a simple match and replace:

Screen Shot 2020-10-09 at 12.34.49 PM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:03 PM
Try to put ‘ surround your field names.
Reply
Solved! Jump to solution

techspec
Explorer
‎10-10-2020 08:52 AM

That did it - thanks!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-08-2020 09:56 PM
Hi
Other option is use rex mode=sed
r. Ismo
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...