Delete a search-time field after extraction

_smp_ — Sat, 24 Feb 2018 15:39:44 GMT

I have a set of logs that require a pretty complex set of regexes to parse. The data has about 8 columns separated by commas, but the values have commas all over the place too so it's not a simple CSV extraction. To make it worse, each column has a bunch of different multivalue field/value pairs with spaces, double-quotes, commas, all sorts of stuff.

In any case, I have successfully extracted the columns into fields with an EXTRACT in props. Then I use that field as the SOURCE_KEY in transforms.conf to do additional extractions - schematically like what I have below.

The data in the COLUMN3 field is not meaningful to the user - it is only used as a simpler means to extract other fields. Therefore I don't want the COLUMN3 field to remain as a search-time extraction for the user. Is there a way to delete the COLUMN3 field after all the fields have been extracted from it?

props.conf
[logs]
EXTRACT-COLUMN1,COLUMN2,COLUMN3 = ^(.*?),(.*?),(.*?)$
REPORT-field_from_COLUMN3 = field_from_COLUMN3

transforms.conf
[field_from_COLUMN3]
SOURCE_KEY = COLUMN3
REGEX = Field=(?P<Field>.*)

Re: Delete a search-time field after extraction

martin_mueller — Sat, 24 Feb 2018 23:59:54 GMT

You should be able to define a calculated field EVAL-COLUMN3 = null() that overwrites the value after the transforms ran: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Searchtimeoperationssequence

Re: Delete a search-time field after extraction

_smp_ — Sun, 25 Feb 2018 04:23:03 GMT

Brilliant! Thanks!

topic Re: Delete a search-time field after extraction in Splunk Search

Delete a search-time field after extraction

Re: Delete a search-time field after extraction

Re: Delete a search-time field after extraction