https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632501#M219716 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254255">@ayushram</a>,</P><P>you can avoid to display a part of your logs in your searches, but accessing the raw log it's all visible:</P><P>&nbsp;</P><LI-CODE lang="markup">| rex mode=sed "s/(?ms)\"toBeRemoved\":.*\}\],//g"</LI-CODE><P>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Tue, 28 Feb 2023 07:37:52 GMT gcusello 2023-02-28T07:37:52Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632329#M219650 <P>Splunk search events returns json format log data. I want to remove a particular key:value pair since the value of this key is huge (in terms of length) and unnecessary. How can I do so.<BR /><BR />sample log data:</P><P>{<BR />"abcd1": "asd",<BR />"abcd2": [],<BR />"abcd3": true,<BR /><STRONG>"toBeRemoved": [{</STRONG><BR /><STRONG>"abcd8": 234,</STRONG><BR /><STRONG>"abcd9": [{</STRONG><BR /><STRONG>"abcd10": "asd234"</STRONG><BR /><STRONG>}],</STRONG><BR /><STRONG>"abcd11": "asdasd"</STRONG><BR /><STRONG>}]</STRONG>,<BR />"abcd4": 324.234,<BR />"abcd5": "dfsad dfsdf",<BR />"abcd6": 0,<BR />"abcd7": "asfsdf"<BR />}</P><P>The key:value pair to be removed has been marked in bold.</P><P>! NOTE THIS IS FORMATTED DATA, FIELDS CAN HAVE STRINGS, NUMBERS, BOTH, LISTS, ETC !</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 27 Feb 2023 08:07:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632329#M219650 ayushram 2023-02-27T08:07:40Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632330#M219651 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254255">@ayushram</a>,</P><P>if you want to remove the highlighted data from the logs before indexing you have to add to your props.conf:</P><LI-CODE lang="markup">[your_sourcetype] SEDCMD = s/(?ms)\"toBeRemoved\":.*\}\],//g</LI-CODE><P>remember that this props.conf must be added on your Indexers or (if present) on your Heavy Forwarders.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 27 Feb 2023 08:20:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632330#M219651 gcusello 2023-02-27T08:20:02Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632332#M219652 <P>I do not have access to pros.conf<BR /><BR />Is there any way to do this from search itself?<BR />I want my final data in " | table ", but it's not loading wherever this highlighted field appears (since it has too many characters)</P> Mon, 27 Feb 2023 08:47:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632332#M219652 ayushram 2023-02-27T08:47:49Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632341#M219663 <P>Try something like this - this assumes "toBeRemove" is not the first element i.e. is is preceded by a comma (which needs to be removed).</P><LI-CODE lang="markup">| rex mode=sed "s/(?ms),\s*\"toBeRemoved\":\s*\[([^\[\]]+|\[[^\]]*\])*\]//g"</LI-CODE> Mon, 27 Feb 2023 10:36:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632341#M219663 ITWhisperer 2023-02-27T10:36:47Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632501#M219716 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254255">@ayushram</a>,</P><P>you can avoid to display a part of your logs in your searches, but accessing the raw log it's all visible:</P><P>&nbsp;</P><LI-CODE lang="markup">| rex mode=sed "s/(?ms)\"toBeRemoved\":.*\}\],//g"</LI-CODE><P>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Tue, 28 Feb 2023 07:37:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-json-key-value-pairs-from-events-log-data/m-p/632501#M219716 gcusello 2023-02-28T07:37:52Z