https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344089#M101932 <P>Are you restarting Splunk after each change to the config files?</P> Mon, 24 Apr 2017 19:13:42 GMT richgalloway 2017-04-24T19:13:42Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344086#M101929 <P>I'm having some trouble to delete the text in "plugin_set". </P> <P>Sample Incoming data:</P> <PRE><CODE> {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "10026;10111;10150;10170;10183;", "pokemon": "somsestuff3"} </CODE></PRE> <P>Sample what I want:</P> <PRE><CODE> {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "", "pokemon": "somsestuff3"} </CODE></PRE> <P>This the closest that I got:</P> <PRE><CODE>REGEX = (.*)("plugin_set".*\,) DEST_KEY = _raw FORMAT = $1 nullQueue </CODE></PRE> <P>I also tried this, but that showed everything.</P> <PRE><CODE>REGEX = (.*)("plugin_set".*\,)(.*) DEST_KEY = _raw FORMAT = $1 nullQueue $3 </CODE></PRE> <P>What is the right regex string for deleting the text in "plugin_set"?</P> Mon, 24 Apr 2017 09:18:23 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344086#M101929 Alwiinie 2017-04-24T09:18:23Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344087#M101930 <P>Try this.</P> <PRE><CODE>REGEX = (.*"plugin_set":\s")([^,]+)(",.*) DEST_KEY = _raw FORMAT = $1$3 </CODE></PRE> Mon, 24 Apr 2017 13:02:27 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344087#M101930 richgalloway 2017-04-24T13:02:27Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344088#M101931 <P>It doesn't work, it just shows the all the data.</P> <P>Btw in the props.conf I use this</P> <PRE><CODE>TRANSFORMS-set = removepluginset </CODE></PRE> Mon, 24 Apr 2017 14:34:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344088#M101931 Alwiinie 2017-04-24T14:34:25Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344089#M101932 <P>Are you restarting Splunk after each change to the config files?</P> Mon, 24 Apr 2017 19:13:42 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344089#M101932 richgalloway 2017-04-24T19:13:42Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344090#M101933 <P>Try this in transforms.conf at indexer/heavy forwarder (assuming you're taking care of props.conf changes already)</P> <PRE><CODE>REGEX = ^(.+\"plugin_set\"\:\s*\")([^\"]+)(\".+) DEST_KEY = _raw FORMAT = $1$3 </CODE></PRE> Mon, 24 Apr 2017 20:41:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344090#M101933 somesoni2 2017-04-24T20:41:25Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344091#M101934 <P>Yes, after every change in transform.conf I restart Splunk.</P> Tue, 25 Apr 2017 06:54:19 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344091#M101934 Alwiinie 2017-04-25T06:54:19Z https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344092#M101935 <P>It doesn't work this also showed everything. I don't know if need to change the props.conf more then I now have.<BR /> This what I currently have:<BR /> tansform.conf:<BR /> [removepluginset]<BR /> REGEX = ^(.+\"plugin_set\":\s*\")([^\"]+)(\".+)<BR /> DEST_KEY = _raw<BR /> FORMAT = $1$3</P> <P>props.conf<BR /> [host::hostname]<BR /> TRANSFORMS-set = removepluginset</P> Tue, 29 Sep 2020 13:49:30 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-transform-conf-delete-text-in-the-middle/m-p/344092#M101935 Alwiinie 2020-09-29T13:49:30Z