topic Re: remove/change long field before inserting event in Getting Data In

remove/change long field before inserting event

dorHerbesman — Wed, 02 Jul 2025 15:17:43 GMT

i have events that contains a specific field that sometimes contain a very long field which make the rest of the event be truncated, i want to remove this field or change it "long field detected".

the problematic field call "file" and i should catch it's last appearnce, also i want the data after it so i should stop the removal after the first "," (comma). also the event contains nested fields.

i've tried props.conf+transform conf like that:ete

but it doesn't work.

here is an example for 1 event:
deleted due to security reasons

Re: remove/change long field before inserting event

richgalloway — Wed, 27 Nov 2024 15:28:06 GMT

The REGEX does not match the sample data because backslashes must be escaped. Try

REGEX = \\"file\\":\s*\\"(.{5000,}?),"

Re: remove/change long field before inserting event

PickleRick — Wed, 27 Nov 2024 15:42:33 GMT

This way you can only (if the regex matches) extract indexed field, not modify the original event (maybe except when you overwrite the _raw event).

You're looking for the SEDCMD functionality. I'd also slightly modify your regex since you're looking for a base64-encoded contents which may not contain neither backslash nor a quote.

SEDCMD-trim-file = s/(\\"file\\":\s*\\")([^\\"]{5000,}?)/\1long_file/g

See it here

https://regex101.com/r/8nX7FY/1

(the regex101 substitution uses a bit different format to SEDCMD - it uses $1 instead of \1)

Re: remove/change long field before inserting event

dorHerbesman — Thu, 28 Nov 2024 11:20:35 GMT

is this props.conf/transform.conf command or in splunk command? the goal is to remove/alter the field prior entering it to splunk.

Re: remove/change long field before inserting event

PickleRick — Thu, 28 Nov 2024 15:21:22 GMT

https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf#Field_extraction_configuration

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
* No default.

Re: remove/change long field before inserting event

dorHerbesman — Wed, 02 Jul 2025 15:18:24 GMT

That's a good direction! unfortunately still not working 100% , i used your code in my props.conf :

[APIGW] SEDCMD-trim-file = s/(\\"file\\":\s*\\")([^\\"]{5000,}?)/\1long_file/g

and here are the results:

it's like it only replace the 5000 first character instead the entire filed but this is a big step in the right direction thank you for your help!
i will try taking it from here but it will be mostly appreciated if you have the solution in you mind and can share it

EDIT:
From a few tests I've made it stops the field change exactly after 5000 characters instead of running till the first comma / end of field.

EDIT2:
the regex that was needed was:

SEDCMD-trim-file = s/(\\"file\\":\s*\\")([^\\"]{5000,})(\\")/\1long_file/g

but thank you for all the help!

EDIT3:
Well, apparently this solution alone is not enough, I also had to increase the truncate value because when the secmd command run it replaces the string at the end meaning it first recive the default 10,000 characters and only than replace which is not good enough because the final result is still truncated events, i needed to increase truncate value so it will recive the entire event and later on it's doing the replacement.