Splunk Search

Cleaning raw data at index time or search time?

aapittts
Path Finder

I have raw data that looks like this: (4)example(3)domain(3)com(0). In my search, I've been using a macro that looks like this:

eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.", "")

This produces the desired result. However, when I try and pipe the output of the macro to a lookup table it doesn't work. I've narrowed the issue down to the regex bc if I put the example domain above in my lookup table I get the proper results. That is not the solution bc I have hundreds of domains in the lookup table and can not change them all. So my question is is there a way to pass the output of the regex properly or is this something that needs to be taken care of in the props or transforms?

0 Karma
1 Solution

aapittts
Path Finder

After fighting with the regex more, I realized I wasn't replacing the final '.' from the domain name thus not getting any matches against my look up table.

eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.|$\.", "")

View solution in original post

aapittts
Path Finder

After fighting with the regex more, I realized I wasn't replacing the final '.' from the domain name thus not getting any matches against my look up table.

eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.|$\.", "")
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...