Solved: Extracting everything but numbers from _raw messag...

cpeteman · ‎08-21-2013

I want to extract all characters but digits and have that as a new field. I've done this with easy in search:

|rex mode=sed "/s\d+//g" | rename _raw AS new_field

but this will not let me see the original _raw message nor does props.conf seem to be able to use one field in a new extraction so I cant extract (copy) _raw and the get rid of numbers using SEDCMD. How do I do this? help please???

kristian_kolb · ‎08-21-2013

could this be a good thing?

your_base_search | eval new_field = _raw | rex field=new_field mode=sed "s/\d+//g" | stats c by new_field

/k

View solution in original post

kristian_kolb · ‎08-21-2013

could this be a good thing?

your_base_search | eval new_field = _raw | rex field=new_field mode=sed "s/\d+//g" | stats c by new_field

/k

cpeteman · ‎08-22-2013

Well this helped me find a solution even though it ended up being a macro.

cpeteman · ‎08-21-2013

I would prefer to be able to do it as a default field whereas if I went this way it'd probably end up as a macro, but it's given me some ideas. I'll get back to you. Thanks.

Extracting everything but numbers from _raw message in props.conf

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...