topic Re: How do I edit my "rex mode=sed" search to extract this field? in Splunk Search

How do I edit my "rex mode=sed" search to extract this field?

daniel333 — Thu, 11 Feb 2016 18:04:08 GMT

Just playing with rex sed a bit here. I had load balancer log which pops out the data center name. Just thought I would SED the event so that it was in key value format, but it doesn't look like Splunk will extract it as a field. Is there an option I am missing or this normal?

tag=mystuff | rex mode=sed "s/MYDCname/datacenter=MYDCname /g"

Re: How do I edit my "rex mode=sed" search to extract this field?

somesoni2 — Thu, 11 Feb 2016 18:08:06 GMT

Providing a sample events and highlighting the value you need to extract as a field will help here. The rex with sed is just to update an existing field value. To create/extract a new field, use regular rex, something like this

tag=mystuff | rex field=yourfield(default is _raw) "(?<datacenter>MYDCname)"

Re: How do I edit my "rex mode=sed" search to extract this field?

woodcock — Mon, 15 Feb 2016 22:59:12 GMT

If you are trying to modify it BEFORE it gets indexed, you need to put a SEDCMD in a props.conf on your HF or Indexers:
http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles

Re: How do I edit my "rex mode=sed" search to extract this field?

chimell — Tue, 16 Feb 2016 08:52:33 GMT

Hi
just escape = character like below

tag=mystuff | rex mode=sed "s/MYDCname/datacenter\=MYDCname /g"

verify that MYDCname string is present in a _raw field