Re: Complicated extraction in props.conf

cpeteman · ‎08-21-2013

The jist of the search is that it removes lots of infomation from _raw and gives me back whats left AS msgdigest.

index=auth |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" |rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" |rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" |rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest

I want to find a way to make this work in prop.conf (or if I have to also using transforms.conf). Appreciate the help!!!!

kristian_kolb · ‎08-21-2013

If you wish to do this at index time, and permanently remove the data before it's even written to an index, you can use SEDCMD in props.conf.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Propsconf

However, I don't think you should remove any timestamps.

Hope this helps,

Krisitian

cpeteman · ‎08-21-2013

The goal is not to remove permanently (you are right in thinking that would be bad 😉 but instead to have a new field without the parts I took out from _raw.

Complicated extraction in props.conf

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...