Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove specific substrings from specific values

techspec
Explorer
‎10-08-2020 05:24 PM

I have a query that looks for certain error messages and displays a list sorted by most common occurrence. My problem is that some of these error messages contain unique IDs, causing them to show as separate results.

The first 3 messages below end with unique values - how do I update this query to output those error messages without the unique values after the * mark, or even replace with another string like "redacted"?

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0 
  (
    extraData.message="Incorrect email or password for*"  OR
    extraData.message="Street address and/or city is too long*" OR
    extraData.message="The following address could not be found:*" OR
    extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
    extraData.message="The network connection was lost."
  )  
| stats count by extraData.message | sort -count

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pathik
Path Finder
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pathik
Path Finder
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

0 Karma
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 11:33 AM

Thanks - what you suggested makes sense, but I used it exactly as you showed and get "no results found": 

Screen Shot 2020-10-09 at 11.32.57 AM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:46 AM
With like you must use % and _ instead of *
https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/ConditionalFunctions
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 12:36 PM

Thanks - still no luck. Even tried on an error message with no wildcards, just a simple match and replace:

Screen Shot 2020-10-09 at 12.34.49 PM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:03 PM
Try to put ‘ surround your field names.
Reply
Solved! Jump to solution

techspec
Explorer
‎10-10-2020 08:52 AM

That did it - thanks!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-08-2020 09:56 PM
Hi
Other option is use rex mode=sed
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...