- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex to cut the numerical portion of my search re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query :
error SourceName=PaymentProcessingService
Example of a common search result for under the field Exception_Message (the beginning of this string and after the numerical portion do output other info) I would like to regex out the numerical field after the first : and before the statement after the numbers :
Refund failed for order: 331647329643 This transaction has already been fully refunded
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are talking about pulling out the order_number as it's own field, then like this:
error SourceName=PaymentProcessingService | rex field=Exception_Message ":\s*(?<order_number>\d+)"
If you are talking about stripping the order_number from the Exception_Message field, then like this:
error SourceName=PaymentProcessingService | rex field=Exception_Message mode=sed "s/:\\s*\\d+//"
To replace the ID with X characters, do this:
error SourceName=PaymentProcessingService | rex field=Exception_Message mode=sed "s/\\d/X/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like:
error SourceName=PaymentProcessingService | rex field=Exception_Message "^(?P<pt1>.*:\s)\d+(?P<pt2>.*)$" | eval SourceName=pt1.pt2
This will give you the SourceName without the Order ID number as per the data that you provided. If you want to also remove the extra space, you can use:
error SourceName=PaymentProcessingService | rex field=Exception_Message "^(?P<pt1>.*:\s)\d+\s(?P<pt2>.*)$" | eval SourceName=pt1.pt2
It worked for me with your data, so hopefully it will work for you, too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still no luck, thanks for the suggestions guys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are talking about pulling out the order_number as it's own field, then like this:
error SourceName=PaymentProcessingService | rex field=Exception_Message ":\s*(?<order_number>\d+)"
If you are talking about stripping the order_number from the Exception_Message field, then like this:
error SourceName=PaymentProcessingService | rex field=Exception_Message mode=sed "s/:\\s*\\d+//"
To replace the ID with X characters, do this:
error SourceName=PaymentProcessingService | rex field=Exception_Message mode=sed "s/\\d/X/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @woodcock!
I discovered that I'd need a separate regex to strip or replace the unique order ID from my results with "X"'s
I used a similar example like : rex field=Exception_Message mode=sed "s/(?\d)/X/g" but it does not quite work for this application. Total noob on regex and trying to wrap my head around using it so I apologize
Results where I need to regex the numerical values (can you show me a strip and replace option?)
Unable to find the data in CC Value for Order ID 111965624555
Settlement failed for order Unable to find the data in CC Value for Order ID 111965624722
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Se the new 3rd option in my updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you again for your help, I believe we're close
I'm getting outputs of
Failed to process Paypal DoReferenceTransaction. OrderIDCorrelationID:ffaXXcXbXXbfc Error: XXXXX-Instruct the customer to retry the transaction using an alternative payment method from the customers PayPal wallet. The transaction did not complete with the customers selected payment method.
*For the OrderIDCorrelationID:ffaXXcXbXXbfc output I would like the field after OrderIDCorrelationID to be X's and the actual ID has a combo of digits and abc characters
The 3rd option is applying X's to URLs in my statistics results that I would rather not replace with X's
Tokenization failed with status DINVALIDDATA, The tokenization request was declined because the data provided is not consistent with the request (e.g. card type does not match the number).. The specific response data is below:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason that I wrote it the way that I did (replace any digit with an X was because I do not know how many characters long the string-to-replace is. Try this one:
| rex field=Exception_Message mode=sed "s/ID:\\s*\\S+/ID:#############/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! thank you @woodcock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
Updated
error SourceName=PaymentProcessingService | rex field=Exception_Message mode=sed "s/^([^\:]+\:)\s*(\d+)(.+)/\1\3/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @somesoni2 but I'm still getting results such as :
Refund failed for order: 110328067437 This transaction has already been fully refunded
Refund failed for order: 110231793631 This transaction has already been fully refunded
Refund failed for order: 330160134162 This transaction has already been fully refunded
Refund failed for order: 110678047028 This transaction has already been fully refunded
Authorization failed for order: 111498802673 We encountered a FFFCompass problem: Reason: Issuer unavailable.
I'd like to keep the 'Reason: ..." as well if it appears in the results. Really just looking to cut the middle numerical sets
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mis-interpreted the question. You want to remove the numerical values from field Exception_Message and updated answer should do that.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
