Solved: SEDCMD search inline question

tkwaller · ‎04-08-2016

I am trying to test a sedcmd command, inline, that Im going to add. I am finding a string and replacing it with a field="string with spaces"
Heres a log sample:
2016-04-08 15:04:14,711 [_498147344979146612131995] priority=ERROR thread=http-nio-10010-exec-9 location=com.xxx.search.suggest.v3.impl Found invalid sort sields, invalidFields=eventDateLocal asc

I want to replace:
Found invalid sort sields

with:
message="Found invalid sort fields"

Ive tried several different options including this:
index=java host=src sourcetype=tomcat:src:server "Found invalid sort sields" | rex mode=sed "s/\sFound\sinvalid\ssort\ssields/ message="\"Found invalid sort fields\""/g"

But this errors:
Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

Any thoughts on how I can get around this?

somesoni2 · ‎04-08-2016

Try like this (run anywhere sample)

| gentimes start=-1 | eval _raw="2016-04-08 15:04:14,711 [_498147344979146612131995] priority=ERROR thread=http-nio-10010-exec-9 location=com.xxx.search.suggest.v3.impl Found invalid sort sields, invalidFields=eventDateLocal asc" | table _raw 
| rex mode=sed "s/(Found\sinvalid\ssort\ssields)/Message=\"\1\"/"

View solution in original post

somesoni2 · ‎04-08-2016

Try like this (run anywhere sample)

| gentimes start=-1 | eval _raw="2016-04-08 15:04:14,711 [_498147344979146612131995] priority=ERROR thread=http-nio-10010-exec-9 location=com.xxx.search.suggest.v3.impl Found invalid sort sields, invalidFields=eventDateLocal asc" | table _raw 
| rex mode=sed "s/(Found\sinvalid\ssort\ssields)/Message=\"\1\"/"

tkwaller · ‎04-08-2016

So I took your above and modified my search from using:

rex mode=sed "s/\sFound\sinvalid\ssort\ssields/ message="\"Found invalid sort fields\""/g"

to use:
rex mode=sed "s/(Found\sinvalid\ssort\ssields)/message=\"Found invalid sort fields\"/g"

Works now
Thanks!

wrangler2x · ‎04-08-2016

The parens around the search string capture the matched string. This is why he uses the \1 in the replace string. If your log sample really has sields instead of fields and you not only want to add message= to it, but also change the spelling the \1 can't be used. However, if the log sample really has fields then the \1 should work dandy!

tkwaller · ‎04-08-2016

Really?
Cause I used this:
index=java host=src sourcetype=tomcat:src:server earliest=-4h "Found invalid sort sields"| rex mode=sed "s/(Found\sinvalid\ssort\ssields)/message=\"Found invalid sort fields\"/g"

And got the results:
2016-04-08 16:59:48,521 [_498840895039862628422332] priority=ERROR thread=http-nio-10010-exec-6 location=com.xxx.search.suggest.v3.impl message="Found invalid sort fields", invalidFields=eventDateLocal asc

What makes you say it doesn't work?

wrangler2x · ‎04-08-2016

I did not say it does not work. I said the parentheses are used to capture the matched data, and the \1 returns that in the replace string. If you are going to use a literal replace string -- as you are showing you are doing, you don't need the parentheses or the \1. I am kind of curious why your log entry has that mis-spelling of the word fields as sields.

tkwaller · ‎04-08-2016

Sure sure, I understand.
Thanks!

tkwaller · ‎04-08-2016

Removing the parens returns the same results as well

SEDCMD search inline question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation