Solved: How to remove \x22 from raw results.

jurjenterpstra · ‎10-30-2017

I'm trying to replace the "\x22" entries in my raw results with the correct quotation marks so I can read the the full result.

In the below example I can read correlation_id and request.timestamp as expected, but I can't read request.headers.method

I'm assuming that replacing those "\x22" entries will do the job.

I've tried ... | rex mode=sed "s/\x22/\"/" but that does not seem to work.

{"correlation_id":"f86eae16-f2e5-498a-b544-a77cfd2ca38d","response_time":"0.046","request":{"timestamp":"2017-10-25T11:23:58+00:00","method":"PATCH","path":"/ordermanagement/v1/orders/-41e6-5s7d0-8c77-228bfd2d6b0e/references","headers":{\x22host\x22:\x22api.example.com\x22,\x22X-Forwarded-Port\x22:\x22443\x22,\x22Content-Type\x22:\x22application\x5C/json; charset=utf-8\x22}}

Thanks for any help you can give!

richgalloway · ‎10-30-2017

The backslash in the regex string must be escaped. In an apparent quirk of Splunk regex, the escape character must also be escaped.
This worked for me.

... | rex mode=sed "s/\\\x22/\"/g" | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-30-2017

The backslash in the regex string must be escaped. In an apparent quirk of Splunk regex, the escape character must also be escaped.
This worked for me.

... | rex mode=sed "s/\\\x22/\"/g" | ...

---
If this reply helps you, Karma would be appreciated.

niketn · ‎10-30-2017

Or replace() function 🙂

|  eval _raw=replace(_raw,"\\\x22","")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jurjenterpstra · ‎10-30-2017

Thank you!

How to remove \x22 from raw results.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms