Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to filter initial data from a file and process...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bkumarm
Contributor
02-16-2016
03:46 AM
HI
I am reading an input from a TCP input that is coming as below. However, each event is having a set of data prepended which is causing the spath command to fail.
I wan to filter out "<01>- hostname " and provide the remaining part as input for spath command.
I need help in getting a regular expression to do it.
The sample input:
<01>- hostname {"name":"DefaultProfile","version":"1.0","isonjkpFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"Event","category":"RT_FLOW_SESSION_CREATE_LS","protocolID":"6","sev":"1","src":"192.168.1.10","dst":"192.168.1.110","srcPort":"25253","dstPort":"80","ujnhbgtrf":"1","credibility":"1","startnjkpEaqer":"1455617975494","startnjkpISO":"2014-01-19T01:29:30.494-03:00","hnbjkiunjkpEaqer":"1455617975494","hnbjkiunjkpISO":"2014-01-19T04:19:35.494-06:00","mkiophirhbYH":"12abc22z-b812-22h7-234f-551016123jal","devnjkpEaqer":"1455639575000","iopHuimeNJI":"2014-01-19T10:19:35.000-06:00","qweLjctNAT":"192.168.1.210","pinBistYHG":"192.168.1.110","srcGyhNBHAsdn":"1","dstGyhNBHAsdn":"1","qweLjctNATPort":"-1234","pinBistYHGPort":"80","hasIdentity":"false","njukoan":"<01>2 2014-01-19T10:17:45.679Z abcd-efg2-9876z WT_FLOW - WT_FLOW_MJHGTYH_CREATE_BS [helps@2222.2.2.2.2.22 localis-compute-zxcv=\"ABC1\" lokmnb-qazwsxe=\"192.168.1.10\" gtfvbj-qwer=\"25253\" qwertyujhnq-address=\"192.168.1.110\" qwertyujhnq-port=\"80\" compute-zxcv=\"kudoi-http\" bat-mnbvcx-address=\"192.168.1.210\" bat-mnbvcx-port=\"78781\" bat-qwertyujhnq-address=\"192.168.1.110\" batqwertyujhnq-port=\"80\" abc-lkjhgfd-name=\"VX-TYU9-TYU-OPT-2\" pkt-lkjhgfd-name=\"None\" protocol-id=\"9\" asdfgh-name=\"JV-X-P786-QWER-BHV\" source-NMLP-name=\"Z-B768-QWER\" qwertyujhnq-NMLP-name=\"M-B890-POIU\" session-id-32=\"098765432\" username=\"N/A\" roles=\"N/A\" MLKIOP-MNJYHGTS-ASDRNJUPJ=\"NJKI3.9876\" application=\"UNKNOWN\" MKUNJI-application=\"UNKNOWN\" mnbhyujgt=\"UNKNOWN\"]","bgasbnJuh":"1","mnbIPOUN":"other","absIPPOL":"other","basghlothp":"false","muqaloID":"9","qwmnpName":"VV_MJOK_SESSION_AWBHNJ_PK","qwaszxmnlkpotyfh":"Session Nhjuyt","wrtyJhyblascvfght":"Access","eventDescription":"A nyhbgtfr basftio bhg inmuytr.","azcvftghbvgt":"acb","qweTgvfrt":"minj-bag6-7856ab-Hnqasui","abcPecpokk":"och-00-145-987.Net_11_4_5_6","mnbJhbpoiu":"other","oijDgfhbnIjkm":"Poijhgb PKM Mnbgftr Asdervhj Thbgfra","nhjRkyhcfBhytf":"MKI-PLO-ASW","thuHyrtfcQhbnjuytfv":"192.168.1.11"}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-16-2016
10:03 AM
You can use following props.conf configuration in your Indexer/Heavy Forwarder, to remove that prefix at index time
props.conf
[YourSourceType]
...other configurations...
SEDCMD-removeprefix = s/^([^\{]+)(\{.*)/2/g
To do this in your search in-line, try something like this
your base search | rex mode=sed "s/^([^\{]+)(\{.*)/2/g" | spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-16-2016
10:03 AM
You can use following props.conf configuration in your Indexer/Heavy Forwarder, to remove that prefix at index time
props.conf
[YourSourceType]
...other configurations...
SEDCMD-removeprefix = s/^([^\{]+)(\{.*)/2/g
To do this in your search in-line, try something like this
your base search | rex mode=sed "s/^([^\{]+)(\{.*)/2/g" | spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bkumarm
Contributor
02-16-2016
11:05 PM
The final Query that solved my requirement is
base search | rex field=_raw mode=sed "s/\<\d+\>\-[^\{]+//g"
this Query, even without spath command provides afield value exactly the way we need for analytics.
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
