Splunk Search

replace function itself is not working when i did a splunk search query

d942725
New Member

I have a use case where i need to pass the previously performed search query to replace the part of message with empty string. environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") The above message in turn obtained must be used to do another operation. But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is. I need to do this asap. can u pls provide a solution ?

0 Karma
1 Solution

Vijeta
Influencer

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"

View solution in original post

0 Karma

Vijeta
Influencer

Hi @d942725 - Try using _raw in field name .

rex field=_raw mode=sed "s/Data\s*=\s*//"
0 Karma

d942725
New Member

This one Worked for me. Thanks a lot.

0 Karma

Vijeta
Influencer

@d942725 Welcome :). Can you please accept the answer.

0 Karma

d942725
New Member

Sure, Vl accept the answer.

Thanks

0 Karma

d942725
New Member

But for logstash logs, i have the string data available under the field "message". Is it recommended to do that which doesn't include the field name over there ?

0 Karma

d942725
New Member

I've a message as displayed below from the log.

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",". Tried either of the ways without space before Data and without space. But nothing has sorted out the issue. I need to remove the " Data = " in the above message and must be able to get the actual json. Please help with the possible ways.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") the replace command has a space before "Data" so it does not match the sample event.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Based on your comment, consider using rex instead of replace.

| rex field=message mode=sed "s/Data\s*=\s*//"
---
If this reply helps you, Karma would be appreciated.
0 Karma

d942725
New Member

environment="sit" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data ="| rex field=message mode=sed "s/Data\s*=\s*//"

used the above query in Splunk UI

Still able to see the output as below:

message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",

" Data = " was still not removed from the actual message:

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There must be something about your data that is not included in this question because the following run-anywhere example works.

| makeresults annotate=true | eval message="Data = {\"data\":{\"time\":\"2020-02-03T12:43:49+00:00\"" | rex field=message mode=sed "s/Data\s*=\s*//" | table message
---
If this reply helps you, Karma would be appreciated.
0 Karma

d942725
New Member

hi richgalloway ♦, rex field=_raw mode=sed "s/Data\s*=\s*//"
the above one worked for me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...