How do I remove a string between the first occurre...

Wondergoat77 · ‎10-08-2018

I am trying to remove all content returned in a field between two specific strings but only from the first occurrence of these strings.

I need to do this for a few sections of a log, strings I need to replace look like this:

[code= and ] : replace with empty string
[txid= and ] : replace with empty string
"code":"someCode" : either replace with empty string or only replace the "someCode" section.

Example log:

{"status":500,"statusDesc":"Internal Server Error","code":"someCode","message":"some error message"} [code=919285284] [txid=5f6c0952-5184-4bdd-9658-6487dfaeaf3f] }

I want the result to be:

 {"status":500,"statusDesc":"Internal Server Error","message":"some error message"}

I am essentially trying to remove unique identifiers from this entry so that I can dedup based on the generic log error.

MuS · ‎10-08-2018

Hi Wondergoat77,

try this rex SPL which uses mode=sed to removes the various strings:

| makeresults 
| eval foo="{\"status\":500,\"statusDesc\":\"Internal Server Error\",\"code\":\"someCode\",\"message\":\"some error message\"} [code=919285284] [txid=5f6c0952-5184-4bdd-9658-6487dfaeaf3f] }" 
| rex field=foo mode=sed "s/\[[^\]]+\]|\s\}|\"code\":\"[^\"]+\"//g"

The result looks like this:

Hope this helps ...

cheers, MuS

Wondergoat77 · ‎10-09-2018

Thanks this did exactly what i needed, much appreciated.

MuS · ‎10-09-2018

Awesome, feel free to accept the answer so it is marked as answered 😉

cheers, MuS

woodcock · ‎10-08-2018

Like this:

Your Search Here
| rex "^{(?<curlytext>[^}]+)"
| dedup curlytext

How do I remove a string between the first occurrence of two strings in a query?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability