Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ignore or Remove characters from search results

hagjos43
Contributor
‎04-25-2014 04:57 AM

I have a need to ignore specific characters in my search results. I'm assuming this can be done with REGEX or something similar. Here is an example of what I need:
Current results:

news%20article
article%20about%20stuff
2014%20white%20paper.pdf

What I need it to look like is:

news article
article about stuff
2014 white paper.pdf

Is this possible? If so can someone point me in the right direction?
Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 05:12 AM

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sanjeev_srivast
New Member
‎01-15-2019 09:31 AM

I am facing similar issue:

O/p
REFUSALREASON count
":"04 : Capture card"," 24
":"05 : Do not honor"," 277
":"07 : Pickup card, special condition"," 7
":"12 : Invalid transaction"," 56
":"14 : Invalid card number","

Expected O/p
04 : Capture card
05 : Do not honor
07 : Pickup card, special condition
12 : Invalid transaction
14 : Invalid card number

Query i am using:
"ADYEN JSON NOTIFICATION DATA" ("eventCode":"AUTHORISATION") ("merchantOrderReference":"AP*") AND NOT Approved
| rex field=_raw "refusalReasonRaw(?.)billingAddress.stateOrProvince(?.)" | stats count by REFUSALREASON

after refusalReasonRaw in the bracket, it is REFUSALREASON
after billingAddress.stateOrProvince in the bracket, it is Msg
I want expected o/p but somehow I am not able to figure out please help me!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎04-25-2014 05:14 AM

Hi hagjos43,

Yes it is possible, try something like this:

... | rex mode=sed "s/\%20/ /g"

this will search for all %20 and replace it by a blank

hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2014 05:12 AM

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

clintla
Contributor
‎08-06-2019 01:19 PM

Nice! Worked well!

0 Karma
Reply
Solved! Jump to solution

AshimaE
Explorer
‎07-06-2017 01:24 AM

@richgalloway how to replace mutiple characters separately using this or any other method. I want to replace both "abc" and "def" from the same field message

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2017 06:15 AM

@ashimae, It's better to ask a new question than to add on to a old question with an accepted answer.

Have you tried using this same method with your data?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

hagjos43
Contributor
‎04-25-2014 06:12 AM

This worked! Thank you!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎04-25-2014 05:15 AM

you beat me, I was typing for too long 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...