Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove portion of multivalue field with rex-sed

michael_vi
Path Finder
‎02-16-2025 03:49 AM

Hi.

I have a file that I want to remove portion of it during index time.

Remove all the text between **************************************

For example:

**********************************************************************
Started at   : 25/02/16 04:07:04
Terminated at:                                                        
Elapsed time :                                                        
                                                                                                        
Software:
   Version: 6.0.0.0
   Built  : 6.0.0.0.20141102.1-Release_
            14/11/02 10:06:52
Context:
   Account: SOC
   Machine: NEW
   IP addr: 255.555.543
   CPU    : Dual-Core

LOG Recycle Count:                                                    
**********************************************************************
25/02/16 04:07:04.834 |     7904 | TEST1
25/02/16 04:07:04.834 |     7904 | TEST2
25/02/16 04:07:04.865 |     7860 | TEST3
25/02/16 04:07:04.881 |     7860 | TEST4
...

 In the end I need to get:

25/02/16 04:07:04.834 |     7904 | TEST1
25/02/16 04:07:04.834 |     7904 | TEST2
25/02/16 04:07:04.865 |     7860 | TEST3
25/02/16 04:07:04.881 |     7860 | TEST4

Please assist

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-16-2025 06:20 AM

@michael_vi 

rex mode=sed "s/\*{10,}[\s\S]*?\*{10,}\n//g" Removes everything between (and including) **************************************.

kiran_panchavat_1-1739715530562.png

You can apply the configurations in props.conf and transforms.conf

props.conf

[YOUR_SOURCETYPE]
TRANSFORMS-remove_header = remove_header_content

transforms.conf 

[remove_header_content]
REGEX = \*{10,}[\s\S]*?\*{10,}\n
FORMAT =
DEST_KEY = _raw

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

michael_vi
Path Finder
‎02-17-2025 05:44 AM

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-17-2025 12:35 AM

Hi @michael_vi ,

as @richgalloway and @kiran_panchavat said, you can use regex101 to find the correct regex to cut a part ot your json.

Only one attention point: json format has a well defined structure, so beware in cutting a part of the event, because if you break the json structure, the INDEXED_EXTRACTION=JSON and the spath command will not work correctly, and you have to manually parse all the fields!

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-16-2025 06:20 AM

@michael_vi 

rex mode=sed "s/\*{10,}[\s\S]*?\*{10,}\n//g" Removes everything between (and including) **************************************.

kiran_panchavat_1-1739715530562.png

You can apply the configurations in props.conf and transforms.conf

props.conf

[YOUR_SOURCETYPE]
TRANSFORMS-remove_header = remove_header_content

transforms.conf 

[remove_header_content]
REGEX = \*{10,}[\s\S]*?\*{10,}\n
FORMAT =
DEST_KEY = _raw

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-16-2025 06:16 AM

@michael_vi You can try regex to meet your requirement. 

kiran_panchavat_0-1739715367236.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-16-2025 05:59 AM

What have you tried so far?  How did those results not meet expectations?

Have you experimented with https://regex101.com?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...