topic Remove character pattern from field value in Splunk Search

Remove character pattern from field value

bcarr12 — Thu, 22 Jun 2017 20:14:11 GMT

In one of my logs, I have some fields that return values such as:
status=FA-Full Pulse AOV Access Realm)[
status=FA-Full Pulse AOV Access Realm)[FA-CGK Bypass Role
status=unknown)[

What is the best way to strip the ")[" pattern from each of these values and replace with something like a blank space (ie " "). I tried replace ")[" WITH " " IN status but it doesn't seem to be doing anything.

Re: Remove character pattern from field value

lguinn2 — Thu, 22 Jun 2017 20:59:51 GMT

If you want to permanently remove these characters, that can be done at parsing time.

props.conf

[yoursourcetypehere]
TRANSFORMS=fixChar

transforms.conf

[fixChar]
SOURCE_KEY=_raw
REGEX=(.*)\)\[(.*)
DEST_KEY=_raw
FORMAT=$1 $2

You might not want to set this up exactly as I have shown in this example, but it will probably work. Remember that you can't use the status field in the transform, because it doesn't exist at this point.

Re: Remove character pattern from field value

richgalloway — Thu, 22 Jun 2017 21:04:43 GMT

Replace should work, but perhaps it's confused by the paren and bracket. Try rex. It will be confused by the paren and bracket so they'll need to be escaped.

rex mode=sed "s/\)\[/ /g"

Re: Remove character pattern from field value

bcarr12 — Fri, 23 Jun 2017 12:35:16 GMT

Thanks! This works great.

Re: Remove character pattern from field value

bcarr12 — Mon, 26 Jun 2017 12:57:05 GMT

If I can be a pain - can rex also be used if I wanted to replace the )[ with something like a pipe? Just trying to find an easy way to seperate the values when there is more than one status.

For instance:
status=FA-Full Pulse AOV Access Realm |
status=FA-Full Pulse AOV Access Realm | FA-CGK Bypass Role
status=unknown |