Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex in transform.conf delete text in the middle

Alwiinie
New Member
‎04-24-2017 02:18 AM

I'm having some trouble to delete the text in "plugin_set".

Sample Incoming data:

 {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "10026;10111;10150;10170;10183;", "pokemon": "somsestuff3"}

Sample what I want:

 {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "", "pokemon": "somsestuff3"}

This the closest that I got:

REGEX = (.*)("plugin_set".*\,)
DEST_KEY = _raw
FORMAT = $1 nullQueue

I also tried this, but that showed everything.

REGEX = (.*)("plugin_set".*\,)(.*)
DEST_KEY = _raw
FORMAT = $1 nullQueue $3

What is the right regex string for deleting the text in "plugin_set"?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎04-24-2017 01:41 PM

Try this in transforms.conf at indexer/heavy forwarder (assuming you're taking care of props.conf changes already)

REGEX = ^(.+\"plugin_set\"\:\s*\")([^\"]+)(\".+)
DEST_KEY = _raw
FORMAT = $1$3
0 Karma
Reply

Alwiinie
New Member
‎04-25-2017 12:04 AM

It doesn't work this also showed everything. I don't know if need to change the props.conf more then I now have.
This what I currently have:
tansform.conf:
[removepluginset]
REGEX = ^(.+\"plugin_set\":\s*\")([^\"]+)(\".+)
DEST_KEY = _raw
FORMAT = $1$3

props.conf
[host::hostname]
TRANSFORMS-set = removepluginset

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 06:02 AM

Try this.

REGEX = (.*"plugin_set":\s")([^,]+)(",.*)
DEST_KEY = _raw
FORMAT = $1$3
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alwiinie
New Member
‎04-24-2017 07:34 AM

It doesn't work, it just shows the all the data.

Btw in the props.conf I use this

TRANSFORMS-set = removepluginset
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 12:13 PM

Are you restarting Splunk after each change to the config files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alwiinie
New Member
‎04-24-2017 11:54 PM

Yes, after every change in transform.conf I restart Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...