Remove first four lines of field

calarie001 · ‎07-24-2018

I want to display each event's raw text in a table column, but I need to remove the first four lines of the field (terminal_id, operator_id, date, and time lines). Is there a way I can always 'hide' the first four lines of the field before displaying it in a dashboard table at searchtime?

This is what the field looks like:
CA7_TERMINAL_ID= data here!

CA7_OPERATOR_ID= data here!

CA7_DATE= data here!

CA7_TIME= data here!

CA7_TRANSACTION= data here!

CA7_JOB= data here!

CA7_SYSTEM= data here!

CA7_DESC= data here!

CA7_ACTIVE_SIZE=data here !

CA7_PROGRAM= data here!

CA7_MESSAGE= data here!

woodcock · ‎07-24-2018

It really, really, really, really helps to see you raw events and your search. Because you keep referring to this dataset as a field I am assuming that this is a single event and that you need to strip out that data. This seems unlikely but...

Try this

Your Search Here
| rex field=YourFieldNameHere mode=sed "s/^.*?CA7_TIME=[^\n\r\s]+//"

HiroshiSatoh · ‎07-24-2018

If the number of logs is large, it is slow.

(your search)|streamstats count by rec_no
|eval CA7_TERMINAL_ID=if(rec_no<5,"",CA7_TERMINAL_ID)
|eval CA7_OPERATOR_ID=if(rec_no<5,"",CA7_OPERATOR_ID)
|eval CA7_DATE=if(rec_no<5,"",CA7_DATE)
|eval CA7_TIME=if(rec_no<5,"",CA7_TIME)

gcusello · ‎07-24-2018

Hi calarie001,
in you dashboard panels do you use table command to define which fields to display or do you display raw data?
In the first case you can choose which fields to display

index=my_index
| table CA7_TIME CA7_TRANSACTION CA7_JOB CA7_SYSTEM CA7_DESC CA7_ACTIVE_SIZE CA7_PROGRAM CA7_MESSAGE

Bye.
Giuseppe

Remove first four lines of field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases