topic Re: How to remove extra characters from an indexed event? in Splunk Search

How to remove extra characters from an indexed event?

Bellamar10 — Tue, 22 May 2018 20:25:13 GMT

Good afternoon

Is there a way to remove extra characters (\xAF) from already indexed events such as this one:

20182018--0505--2222  1111::3939::1818,,937937 [ [4747] ] ERRORERROR  -- 
  ErrorError  MessageMessage::  OneOne  oror  moremore  errorserrors  occurredoccurred..
 \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Stack Trace:

Thank you in advance

Re: How to remove extra characters from an indexed event?

MuS — Tue, 22 May 2018 20:35:36 GMT

Hi Bellamar10,

try this:

| makeresults 
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR -- 
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF" 
| rex mode=sed field=foo "s/\\\xAF//g"

The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF from your search result. But remember the characters will still be in the _raw event 😉

Hope this helps ...

cheers, MuS

Re: How to remove extra characters from an indexed event?

xpac — Tue, 22 May 2018 20:48:29 GMT

Just to add on this - because you explicitely asked for "already indexed events" - you can do this like shown above, but it will not be persistent. Data, once indexed, can not be changed afterwards (permanently), only in every search again and again.

Re: How to remove extra characters from an indexed event?

MuS — Tue, 22 May 2018 20:54:25 GMT

HeHE, did you read my answer to the end? I already mentioned that in my answer 😉

Re: How to remove extra characters from an indexed event?

xpac — Tue, 22 May 2018 21:57:10 GMT

Hehe, I read that, but I wasnt clear to me that you meant that... which might be a non-native-English issue with me, sorry 😉

Re: How to remove extra characters from an indexed event?

MuS — Tue, 22 May 2018 22:05:18 GMT

let's call it lost in translation from swiss german - german - english at the writer side and english - german on the reader side 🙂