Getting Data In

Microsoft IIS - Remove 0#.w| with transforms.conf and props.conf

Silek
Explorer

Hello everyone,


I am trying to remove this string "0#.w|" with a transforms.conf file. To be sure that my regex is working I tried it with the rex command :

| rex field=cs_username "(^[^|]+\|(?<cs_username>[^|]+)$)"
I just want to overwrite the field "cs_username" without this string. It works!

Now I want to put this regex on a transforms.conf and in props.conf
I am not sure that I can do this but here is what I am trying to do :

Transforms.conf

[username]
SOURCE_KEY = cs_username
REGEX = ^[^|]+\|(?<cs_username>[^|]+)$
REPEAT_MATCH = true
MV_ADD = true

Props.conf

TRANFORMS-mynewusername = username

I reload in the indexer by using the command: | extract reload=true

But apparently it is not working that is why I am asking if it is possible to use a field as I did through the rex command in the GUI in the transforms.conf file?

Thank you for your answers,

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Removing a string from an event is usually done with SEDCMD in props.conf.

[mysourcetype]
SEDCMD-username = s/0#\.w\|//

Test it at search-time using rex in sed mode.

| rex mode=sed "s/0#\.w\|//"

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Removing a string from an event is usually done with SEDCMD in props.conf.

[mysourcetype]
SEDCMD-username = s/0#\.w\|//

Test it at search-time using rex in sed mode.

| rex mode=sed "s/0#\.w\|//"

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!