Try either the replace search command, or eval's replace function.
If the line you've cited is your raw data, the field you'll need to replace on is _raw
.
Let's figure out why your props aren't working. The usb_trans
field extraction rule you've defined should work just fine, if the data is pipe-delimited. So the next question is whether your data is being indexed with the sourcetype "testing". You can check the metadata with a search like | metadata type=sourcetypes index=<your_index>
. If it's not sourcetyped as "testing", then you'll have to adjust your inputs.conf.
Note that | is a special character in sed, as is \, so you'd have to escape the | with \|, and the \ in \| with extra backslashes \\|.
my props.conf contains the following :
[testing]
SHOULD_LINEMERGE = false
KV_MODE = none
REPORT-usb_trans = usb_trans
SEDCMD-usb=sed s/|/\ |/g
and my transforms is like :
[usb_trans]
DELIMS="|"
FIELDS= "NAME", "EMPID", "DIRECTORY", "LOCATION", "APPRE"
Now, tell me how '|' can be replaced with '\ |' , abouve configuration line is not working
Please begin with a clearer statement of the problem you're trying to solve.
"Generating the reports" to Splunkers sounds like a search time thing, with the answer I gave above.
If you want to change the data before it goes into Splunk you'll want to use an index-time transform like SEDCMD in props.conf.
but I want to replace data before being imported, my data is '|' separated if I dont replace '|' with '\ |' then my values are not coming in the proper field,
Please help