Solved: replace function itself is not working when i did ...

d942725 · ‎02-03-2020

I have a use case where i need to pass the previously performed search query to replace the part of message with empty string. environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") The above message in turn obtained must be used to do another operation. But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is. I need to do this asap. can u pls provide a solution ?

Vijeta · ‎02-03-2020

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"

View solution in original post

Vijeta · ‎02-03-2020

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"

d942725 · ‎02-04-2020

This one Worked for me. Thanks a lot.

Vijeta · ‎02-04-2020

@d942725 Welcome :). Can you please accept the answer.

d942725 · ‎02-04-2020

Sure, Vl accept the answer.

Thanks

d942725 · ‎02-03-2020

But for logstash logs, i have the string data available under the field "message". Is it recommended to do that which doesn't include the field name over there ?

d942725 · ‎02-03-2020

I've a message as displayed below from the log.

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",". Tried either of the ways without space before Data and without space. But nothing has sorted out the issue. I need to remove the " Data = " in the above message and must be able to get the actual json. Please help with the possible ways.

richgalloway · ‎02-03-2020

In environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") the replace command has a space before "Data" so it does not match the sample event.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎02-03-2020

Based on your comment, consider using rex instead of replace.

| rex field=message mode=sed "s/Data\s*=\s*//"

---
If this reply helps you, Karma would be appreciated.

d942725 · ‎02-03-2020

environment="sit" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data ="| rex field=message mode=sed "s/Data\s*=\s*//"

used the above query in Splunk UI

Still able to see the output as below:

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",

" Data = " was still not removed from the actual message:

richgalloway · ‎02-03-2020

There must be something about your data that is not included in this question because the following run-anywhere example works.

| makeresults annotate=true | eval message="Data = {\"data\":{\"time\":\"2020-02-03T12:43:49+00:00\"" | rex field=message mode=sed "s/Data\s*=\s*//" | table message

---
If this reply helps you, Karma would be appreciated.

d942725 · ‎02-04-2020

hi richgalloway ♦, rex field=_raw mode=sed "s/Data\s*=\s*//"
the above one worked for me.

replace function itself is not working when i did a splunk search query

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann