I'm trying to replace the "\x22" entries in my raw results with the correct quotation marks so I can read the the full result.
In the below example I can read correlation_id and request.timestamp as expected, but I can't read request.headers.method
I'm assuming that replacing those "\x22" entries will do the job.
I've tried ... | rex mode=sed "s/\x22/\"/"
but that does not seem to work.
{"correlation_id":"f86eae16-f2e5-498a-b544-a77cfd2ca38d","response_time":"0.046","request":{"timestamp":"2017-10-25T11:23:58+00:00","method":"PATCH","path":"/ordermanagement/v1/orders/-41e6-5s7d0-8c77-228bfd2d6b0e/references","headers":{\x22host\x22:\x22api.example.com\x22,\x22X-Forwarded-Port\x22:\x22443\x22,\x22Content-Type\x22:\x22application\x5C/json; charset=utf-8\x22}}
Thanks for any help you can give!
The backslash in the regex string must be escaped. In an apparent quirk of Splunk regex, the escape character must also be escaped.
This worked for me.
... | rex mode=sed "s/\\\x22/\"/g" | ...
The backslash in the regex string must be escaped. In an apparent quirk of Splunk regex, the escape character must also be escaped.
This worked for me.
... | rex mode=sed "s/\\\x22/\"/g" | ...
Or replace()
function 🙂
| eval _raw=replace(_raw,"\\\x22","")
Thank you!