Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove specific substrings from specific values

techspec
Explorer
‎10-08-2020 05:24 PM

I have a query that looks for certain error messages and displays a list sorted by most common occurrence. My problem is that some of these error messages contain unique IDs, causing them to show as separate results.

The first 3 messages below end with unique values - how do I update this query to output those error messages without the unique values after the * mark, or even replace with another string like "redacted"?

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0 
  (
    extraData.message="Incorrect email or password for*"  OR
    extraData.message="Street address and/or city is too long*" OR
    extraData.message="The following address could not be found:*" OR
    extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
    extraData.message="The network connection was lost."
  )  
| stats count by extraData.message | sort -count

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pathik
Explorer
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pathik
Explorer
‎10-08-2020 09:41 PM

Try adding below to replace message with the one you are looking for.

index=mint event_name=APIServiceError appEnvironment=Release appVersionName>=3.0
(
extraData.message="Incorrect email or password for*" OR
extraData.message="Street address and/or city is too long*" OR
extraData.message="The following address could not be found:*" OR
extraData.message="We failed to authorize your payment card. Please verify your payment card is valid." OR
extraData.message="The network connection was lost."
)
| eval extraData.message=if(like(extraData.message, "Street address and/or city is too long*"), "Street address and/or city is too long",extraData.message) | stats count by extraData.message | sort -count 

0 Karma
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 11:33 AM

Thanks - what you suggested makes sense, but I used it exactly as you showed and get "no results found": 

Screen Shot 2020-10-09 at 11.32.57 AM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:46 AM
With like you must use % and _ instead of *
https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/ConditionalFunctions
Reply
Solved! Jump to solution

techspec
Explorer
‎10-09-2020 12:36 PM

Thanks - still no luck. Even tried on an error message with no wildcards, just a simple match and replace:

Screen Shot 2020-10-09 at 12.34.49 PM.png

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:03 PM
Try to put ‘ surround your field names.
Reply
Solved! Jump to solution

techspec
Explorer
‎10-10-2020 08:52 AM

That did it - thanks!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-08-2020 09:56 PM
Hi
Other option is use rex mode=sed
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...