Hi there,
I have several multivalue fields that are sometimes uneven. To make up for this, I'm trying to use SEDCMD to add a value anytime that value would otherwise be empty.
Example before SEDCMD:
FIELD 1 FIELD 2
1
2 data
3
Example before SEDCMD:
FIELD 1 FIELD 2
1 -1
2 data
3 -1
So I have SEDCMD-fillvaluenull = s/"fields": {}/"fields": {"value":"-1"}/g
And if I search for _raw then I see that it has successfully changed to -1, but when I search for fields.value it is not showing the -1, it only returns the data that I imported is what it seems.
Why?
Because Indexed Extractions and Sedcmds in props both occur at index time and both end up in the index. However, I'm not sure why _raw does not match event Information or Interesting fields.
Instead of the sedcmd you might try the MISSING_VALUE_REGEX parameter in props.conf to fill in fields that are empty.
Use KV_MODE = json
to extract the field at search-time which will happen after SEDCMD.
I'm assuming you are using INDEXED_EXTRACTIONS=json
in your props. SEDCMD
happens AFTER INDEXED_EXTRACTIONS
. In other words, the fields are extracted before they are changed in _raw. You could try removing INDEXED_EXTRACTIONS
and do the extractions in SPL or use REPORT
OR EXTRACT
in your props on your SH.
As soon as I removed INDEXTED_EXTRACTIONS I'm unable to see any fields on the righthand side (of the Upload GUI).
Do you recommend I not use SEDCMD? I'm not sure how to use SPL or Report or EXTRACT.
You cannot use INDEXED_EXTRACTIONS
& SEDCMD
they way you were using it. Your options are to keep the SEDCMD, remove INDEXED_EXTRACTIONS
and use field extractions on the SH by making these changes
props.conf
[unique_stanza_with_sedcmd]
KV_MODE = json
thanks to @somesoni2 for the suggestion