Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove extra characters from an indexed event?

Bellamar10
New Member
‎05-22-2018 01:25 PM

Good afternoon

Is there a way to remove extra characters (\xAF) from already indexed events such as this one:

20182018--0505--2222  1111::3939::1818,,937937 [ [4747] ] ERRORERROR  -- 
  ErrorError  MessageMessage::  OneOne  oror  moremore  errorserrors  occurredoccurred..
 \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Stack Trace:

Thank you in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎05-22-2018 01:35 PM

Hi Bellamar10,

try this:

| makeresults 
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR -- 
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF" 
| rex mode=sed field=foo "s/\\\xAF//g"

The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF from your search result. But remember the characters will still be in the _raw event 😉

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎05-22-2018 01:35 PM

Hi Bellamar10,

try this:

| makeresults 
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR -- 
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF" 
| rex mode=sed field=foo "s/\\\xAF//g"

The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF from your search result. But remember the characters will still be in the _raw event 😉

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 01:48 PM

Just to add on this - because you explicitely asked for "already indexed events" - you can do this like shown above, but it will not be persistent. Data, once indexed, can not be changed afterwards (permanently), only in every search again and again.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-22-2018 01:54 PM

HeHE, did you read my answer to the end? I already mentioned that in my answer 😉

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 02:57 PM

Hehe, I read that, but I wasnt clear to me that you meant that... which might be a non-native-English issue with me, sorry 😉

Reply
Solved! Jump to solution

MuS
Legend
‎05-22-2018 03:05 PM

let's call it lost in translation from swiss german - german - english at the writer side and english - german on the reader side 🙂

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...