Re: Remove fields at index time from a CSV file

robwheeler · ‎08-18-2017

Hello,

I have a CSV file that has 21 fields, I need to remove fields 1,2 & 15 from the CSV file as this contains sensitive information.

The list is comma separated but I can't work out how to remove these at index time. I have the option to remove or mask but the value in each field is of different length.

Can anyone help with the props & transforms required for this please.

Regards

Rob

njandieri · ‎03-09-2019

After several regex suicide commitments, I've got this below working:

SEDCMD-subst1 = s/(([^;]*;){NN})[^;]*;(.*)/\1SUBSTITUTION;\3/g

You can replace the semicolon with your delimiter, NN is an N-1 field to replace, SUBSTITUTION is the replacement text. You can have an empty string there to remove the field.

richgalloway · ‎08-18-2017

Try using SEDCMD. This is the method often used for masking, but can also omit fields. You may need to adjust the regex to match your data.

In props.conf:

[mySourcetype]
SEDCMD = s/([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/\3,\4,\5,\6,\7,\8,\9,\10,\11,\12,\13,\14,\16,\17,\18,\19,\20,\21/

---
If this reply helps you, Karma would be appreciated.

Remove fields at index time from a CSV file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation