I am using
FIELD_DELIMITER=; and am working on data that use commas instead of decimals. I want to use a SED to replace those with dots when indexing (s /,/./ g) I tried this in props.conf:
SEDCMD-coma = s/,/./g
I also tried this in props. Conf :
TRANSFORMS-toto = toto
And in transforms.conf :
[toto] REGEX = s/,/./g
And in all cases the behavior is the same : on my raw events (
_raw ) it works fine:
But it never effects the fields that are exracted:
10 premières valeurs, Nombre, % 0 3832 6,415 % 0,07 108 0,181 % 0,76 103 0,172 % 0,02 97 0,162 % 0,77 96 0,161 %
Ideas to do this?
Thank you in advance. Best Regards.
OK, your solution was to post-modify the fields one-by-one at search time. You don't have to use a Data Model, you can just do it like this whenever you need it (search bar, dashboard), like this:
... | rex mode=sed field=<SomeFieldName> "s/,/./g"
It looks like you will probably have to pre-process the file outside of Splunk. I wish there was more detail here:
hello somesoni2 and thank you for your answer and help.
The behavior with what you offer is the same as quoted above: dot is present in _raw but not passed on to the fields extracted from csv file.