topic How to change a value at index time in Splunk Search

How to change a value at index time

JPrictoe — Tue, 22 May 2018 20:59:10 GMT

Hiya, simple question here. I want to change the way a value is represented to me after I index, see the following:

2014-02-21 10:42:57 support-1 root: [ID 702911 daemon.notice] * <WARNING> : target=backed(up

I want "backed(up" to be replaced with "backed-up". Any suggestions?

Re: How to change a value at index time

somesoni2 — Tue, 22 May 2018 21:21:06 GMT

You can use data masking/anonymization methods listed in below link to replace a string with another.

http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Anonymizedata

Re: How to change a value at index time

Shan — Wed, 23 May 2018 05:02:02 GMT

@JPrictoe

After data is indexed. If you want to change the following underling data only in your query.
Then you can try something like i mentioned below. This won't change the data in index.

| makeresults
| eval target="backed(up"
| replace "backed(up" with "backed-up"
| table target

Re: How to change a value at index time

mayurr98 — Wed, 23 May 2018 06:14:31 GMT

Try this :

If you want to anonymize data at search time then try :

| makeresults 
| eval _raw=" 2014-02-21 10:42:57 support-1 root: [ID 702911 daemon.notice] * <WARNING> : target=backed(up" 
| rex field=_raw mode=sed "s/(backed)\((up)/\1-\2/g"

at index time then try:

1) Edit or create a copy of props.conf in $SPLUNK_HOME/etc/system/local

Create a props.conf stanza that uses SEDCMD to indicate a sed script:

[<your_sourcetype>]
SEDCMD-backedup = s/(backed)\((up)/\1-\2/g

2) After making changes to props.conf, restart the Splunk instance to enable the configuration.
let me know if this helps!

Re: How to change a value at index time

niketn — Wed, 23 May 2018 06:52:56 GMT

@shankarananth you are missing in target argument in your replace command, otherwise it will apply to all the available fields.

| makeresults 
| eval target="backed(up", someotherfield="backed(up"
| replace "backed(up" with "backed-up"
| table target someotherfield

So correct query is

| makeresults 
| eval target="backed(up", someotherfield="backed(up"
| replace "backed(up" with "backed-up" in target
| table target someotherfield

Here is another option with replace() evaluation function

| makeresults 
| eval target="backed(up", someotherfield="backed(up"
| eval target=replace(target,"(backed)\((up)","\1\2")
| table target

However, better approach would be to use SEDCMD during index-time as suggested by @mayurr98 and @somesoni2, so that data is indexed as expected, rather than using search time field corrections. As per your question you are looking for index time correction.

You should also check out the feasibility of correcting the logging by application in the first place if the logged text is not as expected. Even if you don't own the code or the app is third party, you can always notify them of such correction with miss-spelled/incorrect logging!