Splunk Search

How to edit my rex mode=sed syntax to remove parts of a string value?

NuMPTy
Explorer

Hello,

Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been able to identify any relevant posts elsewhere...

I've got a simple chart I'm trying to modify. Basically, it looks at a syslog message and charts the top 10 'x' based on the number of messages that have been generated.

Pseudo-search-code looks like:

Interesting_String_Value | top 10 field19

Now, what comes out of it is a chart (top 10) as you would expect, but the values look like:

field-description="actual_value"

I want to remove all pieces except for the actual_value (including quotations)

I'd assume I could handle this via rex mode=sed, but I'm not having any luck...

rex mode=sed 's/field-description\=//g;s/\"//g'

Help? : )

0 Karma
1 Solution

inventsekar
Ultra Champion

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

View solution in original post

inventsekar
Ultra Champion

just wondering why you want rex mode=sed, maybe, just a regular rex field extraction is enough.. just a thought -

 Interesting_String_Value | top 10 field19 | rex field=_raw "actual-field-description="(?<actual_value>[maybe \w+ \d+])"

updated from Sundaresh Sir's comment -

Interesting_String_Value | top 10 field19 | rex field=field19 "\"(?<field19>[^\"]+)\""

sundareshr
Legend

Good point. I believe field19 has the values

Interesting_String_Value | top 10 field19 | rev field=field19 "\"(?<field19>[^\"]+)\""

NuMPTy
Explorer

Sundareshr's worked! Thank you!

Do you want to pop that into an answer for credit?

0 Karma

inventsekar
Ultra Champion

Yes Please 😉 .. an upvote and/or accept as answer would be Great !

NuMPTy
Explorer

Not seeing a way to do this for a comment - maybe if you repost it as a top-level answer?

0 Karma

inventsekar
Ultra Champion

not this comment.. this whole reply, you can "Accept this as answer".. also the upvote button(^)

NuMPTy
Explorer

(obviously substituted 'rev' for 'rex'

0 Karma

sundareshr
Legend

Try this (wasn't sure if you wanted to keep the quotes or remove, this removes the quotes.

.. | rex mode=sed "s/.*"([^"]+)"/$1/g" | ...

OR this, if you want to retain the quotes

... | rex mode=sed "s/.*("[^"]+")/$1/g" | ...

NuMPTy
Explorer

I get some...interesting errors with both of those.

I'd like to have the output in the chart be:

actual_value

instead of

field-description="actual_value"

Error in 'SearchParser': Missing a search command before '^'.
where field19 != "...{snipped} {errorcontext = d "s/.*"([^"]+)"/$1/g}'.

0 Karma

sundareshr
Legend

My bad. Forgot to escape the quotes. Try this

... | rex mode=sed "s/.*\"([^\"]+)\"/\1/g"
0 Karma

NuMPTy
Explorer

Sorry, I should have caught that as well. This one runs, but the end result is still the same in the chart 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suspect you need two separate commands. Try this

... | rex mode=sed 's/field-description\=//g' | rex mode=sed 's/\"//g' | ...

or

... | replace "field-description=" with "" in field19 | replace '"' with '' in field19 | ...
---
If this reply helps you, Karma would be appreciated.

NuMPTy
Explorer

Sadly both seem to have the same effect... (nothing). field-description="" is still there. Even trying just 'field-description' removal doesn't seem to work.

Thanks for the help,

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...