https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39242#M178769 <P>I'm not really sure what you mean. Where am I using this re? and what do I put in the regex expression if I only have a sed expression?</P> Tue, 20 Aug 2013 15:41:36 GMT cpeteman 2013-08-20T15:41:36Z https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39238#M178765 <P>The following search removes usernames, host names, all time information, any digits, and turns all strings of white space into a single "_" for the _raw message. </P> <PRE><CODE>.... |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" |rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" |rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" |rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest </CODE></PRE> <P>I would like to be able to have this "digested" message available as a field does anyone know how to turn this into a field. Preferably with the transforms and extraction pages in manager as I'm currently having unrelated problems with props.conf and transforms.conf files. Please help!</P> Mon, 19 Aug 2013 17:12:25 GMT https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39238#M178765 cpeteman 2013-08-19T17:12:25Z https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39239#M178766 <P>A workaround is to create a macro and call it after the search.</P> <P>For the automatic field extractions (rex command), please see<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles</A><BR /> I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible. </P> Mon, 19 Aug 2013 19:25:12 GMT https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39239#M178766 yannK 2013-08-19T19:25:12Z https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39240#M178767 <P>A marco would take away the original _raw message, as I have my search now that is. Do you know if that can be avoided?</P> Mon, 19 Aug 2013 20:53:24 GMT https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39240#M178767 cpeteman 2013-08-19T20:53:24Z https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39241#M178768 <P>Did this not work?<BR /> Syntax <BR /> rex <A href="https://community.splunk.com/regex-expression%3E%20%5Bmax_match=%3Cint%3E%5D%20%7C%20mode=sed%20%3Csed-expression">field=<FIELD></FIELD></A></P> Mon, 19 Aug 2013 22:51:57 GMT https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39241#M178768 lukejadamec 2013-08-19T22:51:57Z https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39242#M178769 <P>I'm not really sure what you mean. Where am I using this re? and what do I put in the regex expression if I only have a sed expression?</P> Tue, 20 Aug 2013 15:41:36 GMT https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39242#M178769 cpeteman 2013-08-20T15:41:36Z https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39243#M178770 <P>For now a macro seems to be the only option I did manage to avoid my fear in the above comment.</P> Mon, 26 Aug 2013 22:55:23 GMT https://community.splunk.com/t5/Splunk-Search/Turning-a-search-into-a-new-field/m-p/39243#M178770 cpeteman 2013-08-26T22:55:23Z