I have a use case where i need to pass the previously performed search query to replace the part of message with empty string. environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","") The above message in turn obtained must be used to do another operation. But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is. I need to do this asap. can u pls provide a solution ?
Hi @d942725 - Try using _raw in field name .
rex field=_raw mode=sed "s/Data\s*=\s*//"
Hi @d942725 - Try using _raw in field name .
rex field=_raw mode=sed "s/Data\s*=\s*//"
This one Worked for me. Thanks a lot.
@d942725 Welcome :). Can you please accept the answer.
Sure, Vl accept the answer.
Thanks
But for logstash logs, i have the string data available under the field "message". Is it recommended to do that which doesn't include the field name over there ?
I've a message as displayed below from the log.
message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",". Tried either of the ways without space before Data and without space. But nothing has sorted out the issue. I need to remove the " Data = " in the above message and must be able to get the actual json. Please help with the possible ways.
In environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data = "| eval message=replace(message," Data = ","")
the replace
command has a space before "Data" so it does not match the sample event.
Based on your comment, consider using rex
instead of replace
.
| rex field=message mode=sed "s/Data\s*=\s*//"
environment="sit" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="Data ="| rex field=message mode=sed "s/Data\s*=\s*//"
used the above query in Splunk UI
Still able to see the output as below:
message: Data = {"data":{"time":"2020-02-03T12:43:49+00:00",
" Data = " was still not removed from the actual message:
There must be something about your data that is not included in this question because the following run-anywhere example works.
| makeresults annotate=true | eval message="Data = {\"data\":{\"time\":\"2020-02-03T12:43:49+00:00\"" | rex field=message mode=sed "s/Data\s*=\s*//" | table message
hi richgalloway ♦, rex field=_raw mode=sed "s/Data\s*=\s*//"
the above one worked for me.