Splunk Search

Ignore or Remove characters from search results

hagjos43
Contributor

I have a need to ignore specific characters in my search results. I'm assuming this can be done with REGEX or something similar. Here is an example of what I need:
Current results:

news%20article
article%20about%20stuff
2014%20white%20paper.pdf

What I need it to look like is:

news article
article about stuff
2014 white paper.pdf

Is this possible? If so can someone point me in the right direction?
Thanks!

Tags (2)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

sanjeev_srivast
New Member

I am facing similar issue:

O/p
REFUSALREASON count
":"04 : Capture card"," 24
":"05 : Do not honor"," 277
":"07 : Pickup card, special condition"," 7
":"12 : Invalid transaction"," 56
":"14 : Invalid card number","

Expected O/p
04 : Capture card
05 : Do not honor
07 : Pickup card, special condition
12 : Invalid transaction
14 : Invalid card number

Query i am using:
"ADYEN JSON NOTIFICATION DATA" ("eventCode":"AUTHORISATION") ("merchantOrderReference":"AP*") AND NOT Approved
| rex field=_raw "refusalReasonRaw(?.)billingAddress.stateOrProvince(?.)" | stats count by REFUSALREASON

after refusalReasonRaw in the bracket, it is REFUSALREASON
after billingAddress.stateOrProvince in the bracket, it is Msg
I want expected o/p but somehow I am not able to figure out please help me!

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi hagjos43,

Yes it is possible, try something like this:

... | rex mode=sed "s/\%20/ /g"

this will search for all %20 and replace it by a blank

hope this helps ...

cheers, MuS

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looks like sed will do the job.

... | rex field=<field> mode=sed "s/%20/ /g" | ...
---
If this reply helps you, Karma would be appreciated.

clintla
Contributor

Nice! Worked well!

0 Karma

AshimaE
Explorer

@richgalloway how to replace mutiple characters separately using this or any other method. I want to replace both "abc" and "def" from the same field message

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@ashimae, It's better to ask a new question than to add on to a old question with an accepted answer.

Have you tried using this same method with your data?

---
If this reply helps you, Karma would be appreciated.
0 Karma

hagjos43
Contributor

This worked! Thank you!

0 Karma

MuS
SplunkTrust
SplunkTrust

you beat me, I was typing for too long 🙂

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...