Splunk Search

replace function itself is not working when i did a splunk search query

d942725
New Member

I have a use case where i need to pass the previously performed search query to replace the part of message with empty string. environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") The above message in turn obtained must be used to do another operation. But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is. I need to do this asap. can u pls provide a solution ?

0 Karma
1 Solution

Vijeta
Influencer

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"

View solution in original post

0 Karma

Vijeta
Influencer

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"
0 Karma

d942725
New Member

This one Worked for me. Thanks a lot.

0 Karma

Vijeta
Influencer

@d942725 Welcome :). Can you please accept the answer.

0 Karma

d942725
New Member

Sure, Vl accept the answer.

Thanks

0 Karma

d942725
New Member

But for logstash logs, i have the string data available under the field "message". Is it recommended to do that which doesn't include the field name over there ?

0 Karma

d942725
New Member

I've a message as displayed below from the log.

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",". Tried either of the ways without space before Data and without space. But nothing has sorted out the issue. I need to remove the " Data = " in the above message and must be able to get the actual json. Please help with the possible ways.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") the replace command has a space before "Data" so it does not match the sample event.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Based on your comment, consider using rex instead of replace.

| rex field=message mode=sed "s/Data\s*=\s*//"
---
If this reply helps you, Karma would be appreciated.
0 Karma

d942725
New Member

environment="sit" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data ="| rex field=message mode=sed "s/Data\s*=\s*//"

used the above query in Splunk UI

Still able to see the output as below:

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",

" Data = " was still not removed from the actual message:

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There must be something about your data that is not included in this question because the following run-anywhere example works.

| makeresults annotate=true | eval message="Data = {\"data\":{\"time\":\"2020-02-03T12:43:49+00:00\"" | rex field=message mode=sed "s/Data\s*=\s*//" | table message
---
If this reply helps you, Karma would be appreciated.
0 Karma

d942725
New Member

hi richgalloway ♦, rex field=_raw mode=sed "s/Data\s*=\s*//"
the above one worked for me.

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...