Splunk Search

How to transform a string and ignore all tagged parts like {example}

HeinzWaescher
Motivator

Hi,

let's say we have a string with various tagged entries:

"This {field1} is {delete_this} the example {tagged_element}"

Is it possible to ignore all tagged elements, no matter how many of them exist? Here the result would be

"This is the example"

Thanks in advance
Heinz

0 Karma
1 Solution

PPape
Contributor

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

View solution in original post

HeinzWaescher
Motivator

Hi,

a short follow up question regarding this topic 🙂

How to only keep the tagged elements?

Best regards
Heinz

0 Karma

PPape
Contributor

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

HeinzWaescher
Motivator

Thanks for your post. I would like to do it at search time. Unfortunately I'm not very familiar with regex to adjust the example to my needs

0 Karma

PPape
Contributor

could you give me an example dataline? Than i could try it.

0 Karma

HeinzWaescher
Motivator

I created a testcase like this:

index=main| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| table field

0 Karma

PPape
Contributor

It might not be the most beutiful regex but it works with your example...

index=_internal| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| eval field=replace(field, "{([^}]+)}|([\S])", "\2")
| table field
0 Karma

HeinzWaescher
Motivator

This works, thanks a lot!

0 Karma

HeinzWaescher
Motivator

I would assume something like {.*?}( |$)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...