Solved: Re: How to modify CSV raw event data before fields...

Maite35 · ‎03-27-2015

Hello,

I am using FIELD_DELIMITER=; and am working on data that use commas instead of decimals. I want to use a SED to replace those with dots when indexing (s /,/./ g) I tried this in props.conf:

SEDCMD-coma = s/,/./g

I also tried this in props. Conf :

TRANSFORMS-toto = toto

And in transforms.conf :

[toto]
REGEX = s/,/./g

And in all cases the behavior is the same : on my raw events ( _raw ) it works fine:

18/03/2015;23:50:00;XXX;XXX;XXX;16;6.52;41740109;0.03;46987.89;193790;0;12885230;0;25215.5;0;15;87;0;0;40008787;0;37.97;0;667;563.19;47255.63;525.22;369.59

But it never effects the fields that are exracted:

10 premières valeurs,          Nombre,     %
0          3832     6,415 %
0,07        108     0,181 %
0,76        103     0,172 %
0,02        97      0,162 %
0,77        96      0,161 %

Ideas to do this?

Thank you in advance. Best Regards.

Maite35 · ‎08-11-2015

Finaly I used Date Model :

rex mode=sed field=FIELD "s/,/./g"

View solution in original post

woodcock · ‎08-11-2015

OK, your solution was to post-modify the fields one-by-one at search time. You don't have to use a Data Model, you can just do it like this whenever you need it (search bar, dashboard), like this:

... | rex mode=sed field=<SomeFieldName> "s/,/./g"

Maite35 · ‎08-11-2015

Finaly I used Date Model :

rex mode=sed field=FIELD "s/,/./g"

woodcock · ‎04-09-2016

You should "Accept" the answer from the person who gives you the answer.

woodcock · ‎08-10-2015

It looks like you will probably have to pre-process the file outside of Splunk. I wish there was more detail here:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Configurationparametersandthedatapipeline

Maite35 · ‎08-10-2015

Thanks for your help !
finaly, I used Data-model to sed my coma with point ...

rapmancz · ‎04-09-2016

please what did you do exactly?

woodcock · ‎08-10-2015

OK, post exactly what you did as an Answer and then Accept your answer so that we can all learn.

woodcock · ‎08-10-2015

How are you creating your fields? Are you using INDEXED_EXTRACTIONS as described here?

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Maite35 · ‎08-10-2015

Hi woodcock,

Yes I am using INDEXED_EXTRACTIONS=CSV

Maite35 · ‎03-30-2015

hello somesoni2 and thank you for your answer and help.
The behavior with what you offer is the same as quoted above: dot is present in _raw but not passed on to the fields extracted from csv file.

somesoni2 · ‎03-27-2015

Give this a try

In props.conf:

    SEDCMD-coma = s/(\d*),(\d*)/\1.\2/g

How to modify CSV raw event data before fields extraction stage of INDEXED_EXTRACTIONS=CSV

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...