Splunk Search

How to transform a string and ignore all tagged parts like {example}

HeinzWaescher
Motivator

Hi,

let's say we have a string with various tagged entries:

"This {field1} is {delete_this} the example {tagged_element}"

Is it possible to ignore all tagged elements, no matter how many of them exist? Here the result would be

"This is the example"

Thanks in advance
Heinz

0 Karma
1 Solution

PPape
Contributor

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

View solution in original post

HeinzWaescher
Motivator

Hi,

a short follow up question regarding this topic 🙂

How to only keep the tagged elements?

Best regards
Heinz

0 Karma

PPape
Contributor

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

HeinzWaescher
Motivator

Thanks for your post. I would like to do it at search time. Unfortunately I'm not very familiar with regex to adjust the example to my needs

0 Karma

PPape
Contributor

could you give me an example dataline? Than i could try it.

0 Karma

HeinzWaescher
Motivator

I created a testcase like this:

index=main| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| table field

0 Karma

PPape
Contributor

It might not be the most beutiful regex but it works with your example...

index=_internal| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| eval field=replace(field, "{([^}]+)}|([\S])", "\2")
| table field
0 Karma

HeinzWaescher
Motivator

This works, thanks a lot!

0 Karma

HeinzWaescher
Motivator

I would assume something like {.*?}( |$)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...