Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to replace field during parsing?

bosseres
Contributor
‎01-24-2023 05:19 AM

Hello everyone, 

I have logs like 

 

 

2022-11-23 12:47:42.000 id="123" event="some text text2 text3   text4"

 

 

I want to trim everything that goes after three consecutive spaces, so I want to get raw logs

 

 

2022-11-23 12:47:42.000 id="123" event="some text text2 text3"

 

 

 

I did such props.conf

[my_sourcetype]
...
EXTRACT-event = event="(?<event>.+?)\s{3,}.*"
...

 

It's working fine, I get event field what I want, but I still get old logs with 3+ spaces.

What should I add to props conf to get correct logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 09:54 AM

Splunk can work on events in two separate points.

One thing is the so-called index time processing. Which means that an event is being ingested from the source, some transforms are being applied, possibly rewriting some metadata (a relatively common use - to cast event to another sourcetype, or filter some events out completely by redirecting them to nullqueue), extracting indexed fields or trimming/rewriting raw data. Then event is written do the index and its _raw value is immutable from now on - you can't change it anymore.

With search-time operations you can extract some parts of the raw message as fields, calculate other fields based on those values and/or indexed fields and so on.

So if you define a search-time extraction (that's what the EXTRACT setting does), you can get your field value populated but the original _raw event still contains the event as it was when it was ingested and written to the index. If you want to trim the raw event value before writing it to the index, you have to use TRANSFORMS or SEDCMD.

Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2023 05:23 AM

Hi @bosseres,

if you are speaking at search time, the same rules can be applied also to old events.

If you're speaking at index time, you can only apply rules to new indexed events not to already indexed events.

If you want to modify already indexed events, it isn't possible in Splunk.

As a workaround you could extract and reindex them, but it's a very hard work.

Ciao.

Giuseppe

Reply

bosseres
Contributor
‎01-24-2023 05:25 AM

I want to replace/trim only new logs, that not indexed

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2023 08:55 AM

Hi @bosseres,

if you're sure that in each event you have only one group of three spaces, you could try this command to insert in props.conf:

SEDCMD-reduce_event = s/^.*\s\s\s.*/^.*\s\s\s/g

Ciao.

Giuseppe

Reply

antob
Engager
‎08-07-2023 09:15 AM

What if I want to replace all the values in a specific field (number 3) during ingestion with a fixed value for all rows?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...