Getting Data In
Highlighted

Microsoft IIS - Remove 0#.w| with transforms.conf and props.conf

New Member

Hello everyone,


I am trying to remove this string "0#.w|" with a transforms.conf file. To be sure that my regex is working I tried it with the rex command :

| rex field=cs_username "(^[^|]+\|(?<cs_username>[^|]+)$)"
I just want to overwrite the field "cs_username" without this string. It works!

Now I want to put this regex on a transforms.conf and in props.conf
I am not sure that I can do this but here is what I am trying to do :

Transforms.conf

[username]
SOURCE_KEY = cs_username
REGEX = ^[^|]+\|(?<cs_username>[^|]+)$
REPEAT_MATCH = true
MV_ADD = true

Props.conf

TRANFORMS-mynewusername = username

I reload in the indexer by using the command: | extract reload=true

But apparently it is not working that is why I am asking if it is possible to use a field as I did through the rex command in the GUI in the transforms.conf file?

Thank you for your answers,

0 Karma
Highlighted

Re: Microsoft IIS - Remove 0#.w| with transforms.conf and props.conf

SplunkTrust
SplunkTrust

Removing a string from an event is usually done with SEDCMD in props.conf.

[mysourcetype]
SEDCMD-username = s/0#\.w\|//

Test it at search-time using rex in sed mode.

| rex mode=sed "s/0#\.w\|//"

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.