https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42241#M7841 <P>The jist of the search is that it removes lots of infomation from _raw and gives me back whats left AS msgdigest.</P> <PRE><CODE>index=auth |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" |rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" |rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" |rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest </CODE></PRE> <P>I want to find a way to make this work in prop.conf (or if I have to also using transforms.conf). Appreciate the help!!!!</P> Wed, 21 Aug 2013 20:34:00 GMT cpeteman 2013-08-21T20:34:00Z https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42241#M7841 <P>The jist of the search is that it removes lots of infomation from _raw and gives me back whats left AS msgdigest.</P> <PRE><CODE>index=auth |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" |rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" |rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" |rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest </CODE></PRE> <P>I want to find a way to make this work in prop.conf (or if I have to also using transforms.conf). Appreciate the help!!!!</P> Wed, 21 Aug 2013 20:34:00 GMT https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42241#M7841 cpeteman 2013-08-21T20:34:00Z https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42242#M7842 <P>If you wish to do this at index time, and permanently remove the data before it's even written to an index, you can use SEDCMD in props.conf.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Propsconf</A></P> <P>However, I don't think you should remove any timestamps.</P> <P>Hope this helps,</P> <P>Krisitian</P> Wed, 21 Aug 2013 21:04:06 GMT https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42242#M7842 kristian_kolb 2013-08-21T21:04:06Z https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42243#M7843 <P>The goal is not to remove permanently (you are right in thinking that would be bad <span class="lia-unicode-emoji" title=":winking_face:">😉</span> but instead to have a new field without the parts I took out from _raw.</P> Wed, 21 Aug 2013 21:06:23 GMT https://community.splunk.com/t5/Getting-Data-In/Complicated-extraction-in-props-conf/m-p/42243#M7843 cpeteman 2013-08-21T21:06:23Z