Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to filter initial data from a file and process...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bkumarm
Contributor
02-16-2016
03:46 AM
HI
I am reading an input from a TCP input that is coming as below. However, each event is having a set of data prepended which is causing the spath command to fail.
I wan to filter out "<01>- hostname " and provide the remaining part as input for spath command.
I need help in getting a regular expression to do it.
The sample input:
<01>- hostname {"name":"DefaultProfile","version":"1.0","isonjkpFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"Event","category":"RT_FLOW_SESSION_CREATE_LS","protocolID":"6","sev":"1","src":"192.168.1.10","dst":"192.168.1.110","srcPort":"25253","dstPort":"80","ujnhbgtrf":"1","credibility":"1","startnjkpEaqer":"1455617975494","startnjkpISO":"2014-01-19T01:29:30.494-03:00","hnbjkiunjkpEaqer":"1455617975494","hnbjkiunjkpISO":"2014-01-19T04:19:35.494-06:00","mkiophirhbYH":"12abc22z-b812-22h7-234f-551016123jal","devnjkpEaqer":"1455639575000","iopHuimeNJI":"2014-01-19T10:19:35.000-06:00","qweLjctNAT":"192.168.1.210","pinBistYHG":"192.168.1.110","srcGyhNBHAsdn":"1","dstGyhNBHAsdn":"1","qweLjctNATPort":"-1234","pinBistYHGPort":"80","hasIdentity":"false","njukoan":"<01>2 2014-01-19T10:17:45.679Z abcd-efg2-9876z WT_FLOW - WT_FLOW_MJHGTYH_CREATE_BS [helps@2222.2.2.2.2.22 localis-compute-zxcv=\"ABC1\" lokmnb-qazwsxe=\"192.168.1.10\" gtfvbj-qwer=\"25253\" qwertyujhnq-address=\"192.168.1.110\" qwertyujhnq-port=\"80\" compute-zxcv=\"kudoi-http\" bat-mnbvcx-address=\"192.168.1.210\" bat-mnbvcx-port=\"78781\" bat-qwertyujhnq-address=\"192.168.1.110\" batqwertyujhnq-port=\"80\" abc-lkjhgfd-name=\"VX-TYU9-TYU-OPT-2\" pkt-lkjhgfd-name=\"None\" protocol-id=\"9\" asdfgh-name=\"JV-X-P786-QWER-BHV\" source-NMLP-name=\"Z-B768-QWER\" qwertyujhnq-NMLP-name=\"M-B890-POIU\" session-id-32=\"098765432\" username=\"N/A\" roles=\"N/A\" MLKIOP-MNJYHGTS-ASDRNJUPJ=\"NJKI3.9876\" application=\"UNKNOWN\" MKUNJI-application=\"UNKNOWN\" mnbhyujgt=\"UNKNOWN\"]","bgasbnJuh":"1","mnbIPOUN":"other","absIPPOL":"other","basghlothp":"false","muqaloID":"9","qwmnpName":"VV_MJOK_SESSION_AWBHNJ_PK","qwaszxmnlkpotyfh":"Session Nhjuyt","wrtyJhyblascvfght":"Access","eventDescription":"A nyhbgtfr basftio bhg inmuytr.","azcvftghbvgt":"acb","qweTgvfrt":"minj-bag6-7856ab-Hnqasui","abcPecpokk":"och-00-145-987.Net_11_4_5_6","mnbJhbpoiu":"other","oijDgfhbnIjkm":"Poijhgb PKM Mnbgftr Asdervhj Thbgfra","nhjRkyhcfBhytf":"MKI-PLO-ASW","thuHyrtfcQhbnjuytfv":"192.168.1.11"}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-16-2016
10:03 AM
You can use following props.conf configuration in your Indexer/Heavy Forwarder, to remove that prefix at index time
props.conf
[YourSourceType]
...other configurations...
SEDCMD-removeprefix = s/^([^\{]+)(\{.*)/2/g
To do this in your search in-line, try something like this
your base search | rex mode=sed "s/^([^\{]+)(\{.*)/2/g" | spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-16-2016
10:03 AM
You can use following props.conf configuration in your Indexer/Heavy Forwarder, to remove that prefix at index time
props.conf
[YourSourceType]
...other configurations...
SEDCMD-removeprefix = s/^([^\{]+)(\{.*)/2/g
To do this in your search in-line, try something like this
your base search | rex mode=sed "s/^([^\{]+)(\{.*)/2/g" | spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bkumarm
Contributor
02-16-2016
11:05 PM
The final Query that solved my requirement is
base search | rex field=_raw mode=sed "s/\<\d+\>\-[^\{]+//g"
this Query, even without spath command provides afield value exactly the way we need for analytics.
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
