https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669330#M229570 <P>Use <FONT face="courier new,courier">SEDCMD </FONT>in props.conf</P><LI-CODE lang="markup">[mysourcetype] SEDCMD-rm-geo_protection = s/protection_type=geo_protection/---/g</LI-CODE><P>&nbsp;</P> Tue, 21 Nov 2023 13:58:07 GMT richgalloway 2023-11-21T13:58:07Z https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669256#M229547 <P>Firewall logs needs some purification for threat monitoring, below are couple events,&nbsp;</P><P>From the events below action=Accept AND Service=23 along with protection_type=geo_protection, we need "protection_type=geo_protection" to be removed from raw in indextime extraction.</P><P>Current:</P><P>&nbsp;</P><LI-CODE lang="markup">2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513220|hostname=firewallhost|product=Firewall|action=Accept|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=000|time=1700513220|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=23|src=111.11.1.111|src_country=Other 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Accept|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=23|src=111.11.1.111|src_country=Other 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Accept|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=23|src=111.11.1.111|src_country=Other 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Denied|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=67|src=111.11.1.111|src_country=Other</LI-CODE><P>&nbsp;</P><P>Expected:</P><P>&nbsp;</P><LI-CODE lang="markup">2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513220|hostname=firewallhost|product=Firewall|action=Accept|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=000|time=1700513220|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|---|proto=99|s_port=1234|service=23|src=111.11.1.111|src_country=Other 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Accept|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|---|proto=99|s_port=1234|service=23|src=111.11.1.111|src_country=Other 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Accept|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|---|proto=99|s_port=1234|service=23|src=111.11.1.111|src_country=Other 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Denied|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=67|src=111.11.1.111|src_country=Other</LI-CODE><P>&nbsp;</P><P>Thanks in Advance!</P> Mon, 20 Nov 2023 21:25:02 GMT https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669256#M229547 sandeepreddy947 2023-11-20T21:25:02Z https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669330#M229570 <P>Use <FONT face="courier new,courier">SEDCMD </FONT>in props.conf</P><LI-CODE lang="markup">[mysourcetype] SEDCMD-rm-geo_protection = s/protection_type=geo_protection/---/g</LI-CODE><P>&nbsp;</P> Tue, 21 Nov 2023 13:58:07 GMT https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669330#M229570 richgalloway 2023-11-21T13:58:07Z https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669331#M229571 <P>But, this regex with SED will replace in all events, i only need them replaced when action=Allowed and Service=23" in raw events. your regex will not satisfy below event.</P><LI-CODE lang="markup">2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Denied|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=67|src=111.11.1.111|src_country=Other</LI-CODE><P>&nbsp;</P> Tue, 21 Nov 2023 14:14:08 GMT https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669331#M229571 sandeepreddy947 2023-11-21T14:14:08Z https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669350#M229580 <P>Sorry about that.&nbsp; Try this <FONT face="courier new,courier">SEDCMD</FONT>, instead.&nbsp; It does, however, make some assumptions about the order of fields.</P><LI-CODE lang="markup">SEDCMD-rm-geo_protection = s/(.*\|action=Accept\|)(.*?)\|protection_type=geo_protection\|(.*?)(\|service=23.*)/\1\2|---|\3\4/</LI-CODE><P>&nbsp;</P> Tue, 21 Nov 2023 15:25:55 GMT https://community.splunk.com/t5/Splunk-Search/Remove-specific-strings-from-raw-events-based-on-other-fields/m-p/669350#M229580 richgalloway 2023-11-21T15:25:55Z