Solved: Re: Microsoft IIS - Remove 0#.w| with transforms.c...

Silek · ‎06-30-2020

Hello everyone,

I am trying to remove this string "0#.w|" with a transforms.conf file. To be sure that my regex is working I tried it with the rex command :

| rex field=cs_username "(^[^|]+\|(?<cs_username>[^|]+)$)"
I just want to overwrite the field "cs_username" without this string. It works!

Now I want to put this regex on a transforms.conf and in props.conf
I am not sure that I can do this but here is what I am trying to do :

Transforms.conf

[username]
SOURCE_KEY = cs_username
REGEX = ^[^|]+\|(?<cs_username>[^|]+)$
REPEAT_MATCH = true
MV_ADD = true

Props.conf

TRANFORMS-mynewusername = username

I reload in the indexer by using the command: | extract reload=true

But apparently it is not working that is why I am asking if it is possible to use a field as I did through the rex command in the GUI in the transforms.conf file?

Thank you for your answers,

richgalloway · ‎06-30-2020

Removing a string from an event is usually done with SEDCMD in props.conf.

[mysourcetype]
SEDCMD-username = s/0#\.w\|//

Test it at search-time using rex in sed mode.

| rex mode=sed "s/0#\.w\|//"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-30-2020

Removing a string from an event is usually done with SEDCMD in props.conf.

[mysourcetype]
SEDCMD-username = s/0#\.w\|//

Test it at search-time using rex in sed mode.

| rex mode=sed "s/0#\.w\|//"

---
If this reply helps you, Karma would be appreciated.

Microsoft IIS - Remove 0#.w| with transforms.conf and props.conf

indexer

props.conf

transforms.conf

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!