Splunk Search

Field manipulation using SED

lakromani
Builder

I am testing using Splunk to index a minecraft server, but have some problem with user name.
Lines look like this:

Fri Mar 04 22:24:58 CET 2016 action=block_broken player=§4BirksX§r world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=Pardur1 world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS

Since field names do confirm to some=data they are automatically extracted.
For some reason some user has §4 in front of name and §r after it.

I have temporary solved this by using SED like this:

source=minecraft | rex mode=sed field=player "s/(§4|§r)//g" | top player

This works fine.
But I would like to remove the data from the indexed data, so I tried this:

props.conf
[minecraft]
SED-remove_data = "s/(§4|§r)//g"

and

props.conf
[minecraft]
SED-remove_data = s/(§4|§r)//g

But none of them works.
What do I do wrong?

0 Karma
1 Solution

lakromani
Builder

Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:

[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g

View solution in original post

0 Karma

lakromani
Builder

Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:

[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The correct attribute name is SEDCMD in props.conf.

Also, hope you're adding this props.conf on heavy forwarder/indexer

lakromani
Builder

Will test it out.
I do only have one Splunk server, no forwarder.

Edit.
Dit not work on my server.

[minecraft]
SEDCMD-remove_data = "s/(§4|§r)//g"

Edit2.
It seem to be that the § symbol messes things up.
After removing the " in SEDCMD command, it has no more player, but changed it to playe and have removed the 4 from the time, so it get like this:

playe=§BirksX§r

I can see in nano that the § shows like a strange character, but ok using cat.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...