Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to work around SEDCMD trumping EXTRACT and TRANSFORM

chrismmckenna
New Member
‎05-14-2019 02:04 PM

I have events that look like the following:

1pjxVfF7i84nvqrD4p24UVa|2019-05-14 20:41:04.035:[0:T][T1847][PaymentMethodLogoRepositoryImpl][1300][]Fetch logo (consulate_0704c4eb6fb5)
1pjxVfF7i84nvqrD4p24UVa|    paymentMethod=Interac
1pjxVfF7i84nvqrD4p24UVa|    countryCode=CA

Note the repetition of 1pjxVfF7i84nvqrD4p24UVa| for every line of the log - sometimes the events are hundreds of lines long. The repetition is wasteful noise.

I want to extract the repeated value into a variable (e.g. transaction_id="1pjxVfF7i84nvqrD4p24UVa". I've used the following for that in props.conf and a SEDCMD to strip the data from _raw

[cbms_merchant_logs]
EXTRACT-transaction_id = ^(?\w{23})\|\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}:
SEDCMD-strip-transaction-id = s/\w{23})\|//g

From what I understand, the SEDCMD executes first so the data won't be available for the EXTRACT.

How can I achieve the goals of key-value EXTRACTION and SEDCMD substitution? Multiple TRANSFORMS perhaps? Examples are appreciated.

0 Karma
Reply

somesoni2
Revered Legend
‎05-14-2019 02:21 PM

The SEDCMD is executed during parsing time (before indexing), so it should be deployed to your Heavy forwarder OR indexer whichever comes first. The EXTRACT is a search time field extraction, so it executes (obviously after indexing is done) during a search is fired on that sourcetype.

For your use-case try something like this (props.conf on your heavy forwarder OR indexer)

[cbms_merchant_logs]
SEDCMD-transaction_id_ext = s/^(\w{23})(\|.+)/transactionId="\1"\2/
SEDCMD-strip-transaction-id = s/\w{23})\|//g
Reply

FrankVl
Ultra Champion
‎07-01-2019 07:51 AM

That's what I would suggest as well. Keep the value on the first line of the event and remove it elsewhere. Note: with the naming you have now, wouldn't the second one be executed first (because s comes before t)?

An alternative could be is to write a SED that only triggers for the subsequent lines (where the | is followed by some white space: SEDCMD-strip-transaction-id = s/\w{23})\|\s+//g

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎07-01-2019 05:52 AM

I made this an answer because I'm hoping that the lack of response meant you "answered" the question for @chrismmckenna. We'll find out by seeing if he accepts this as an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...