Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trim everything till refusal reason from the start

man03359
Communicator
‎07-03-2023 07:50 AM

Hi,

I am trying to trim everything before the "211 Withdrawal amount exceeded: from the output --

WITHDRAWAL_AMOUNT_EXCEEDED; Refusal Reason: 211 Withdrawal amount exceeded.

But in my logs, at some events Refusal Reason is blank, so in that case I need to trim off the first part.

e.g.,

Validation failed: Total amount is lower than configured min amount. ; Refusal Reason 

MAINTENANCE; Refusal Reason:

 

please help

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2023 10:58 PM

You have inconsistently used punctuation so this may not be correct, but hopefully you will get the idea

| rex "(?<reason>(.+(?=; Refusal Reason: $)|(?<=Refusal Reason: ).+))"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-03-2023 08:29 AM

To trim the event at index-time, use SEDCMD in props.conf

SEDCMD-trimReason = s/.*(; Refusal Reason.*)/\1/

To trim it at search time, try this

| rex mode=sed "s/.*(; Refusal Reason.*)/\1/"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2023 08:26 AM

It is not clear what you are trying to do.

For a field with:

WITHDRAWAL_AMOUNT_EXCEEDED; Refusal Reason: 211 Withdrawal amount exceeded.

are you trying to set it to

211 Withdrawal amount exceeded.

And for a field with

Validation failed: Total amount is lower than configured min amount. ; Refusal Reason

are you trying to set it to

Refusal Reason

Or something else?

0 Karma
Reply
Solved! Jump to solution

man03359
Communicator
‎07-03-2023 08:43 AM

Yes, correct! 

For a field with:

WITHDRAWAL_AMOUNT_EXCEEDED; Refusal Reason: 211 Withdrawal amount exceeded.

 I am trying to capture 

211 Withdrawal amount exceeded.

and fields with 

And for a field with

Validation failed: Total amount is lower than configured min amount. ; Refusal Reason

trying to capture 

Validation failed: Total amount is lower than configured min amount.

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2023 10:58 PM

You have inconsistently used punctuation so this may not be correct, but hopefully you will get the idea

| rex "(?<reason>(.+(?=; Refusal Reason: $)|(?<=Refusal Reason: ).+))"
0 Karma
Reply
Solved! Jump to solution

man03359
Communicator
‎07-06-2023 06:41 AM

Thanks, but it did not worked for me as expected. So I finally used 2 regex to extract both the field values of Message and Refusal Reason into two separate fields.

Happy Splunking 🙂

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-03-2023 02:35 PM

In that case, you will need two rex commands to capture them:

| rex "Refusal Reason: *(?<refusal_reason>.+)"
| rex "(?<refusal_reason>.+) *; Refusal Reason$"

The first is anchored against colon (:) which the second event does not contain.  The second is anchored to the end of line after "Refusal Reason" which the first event does not meet. 

Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...