Splunk Search

Splunk search help: formatting a field

New Member

Can somebody help me with a Splunk query to format the below MESSAGE field value

  • MESSAGE=ABC-STATUS-COUNT={\"false\":1,\"true\":1}\n

as something like below

  • MESSAGE=ABC-STATUS-COUNT-{false:1,true:1}
0 Karma

Revered Legend

You can do like this (runanywhere search, replace line1 with your search)

| gentimes start=-1 | eval MESSAGE="ABC-STATUS-COUNT={\\\"false\\\":1,\\\"true\\\":1}\\n" 
| rex field=MESSAGE mode=sed "s/\\\[\"\w]//g"
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!