Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove portion of multivalue field with rex-sed

michael_vi
Path Finder
‎02-16-2025 03:49 AM

Hi.

I have a file that I want to remove portion of it during index time.

Remove all the text between **************************************

For example:

**********************************************************************
Started at   : 25/02/16 04:07:04
Terminated at:                                                        
Elapsed time :                                                        
                                                                                                        
Software:
   Version: 6.0.0.0
   Built  : 6.0.0.0.20141102.1-Release_
            14/11/02 10:06:52
Context:
   Account: SOC
   Machine: NEW
   IP addr: 255.555.543
   CPU    : Dual-Core

LOG Recycle Count:                                                    
**********************************************************************
25/02/16 04:07:04.834 |     7904 | TEST1
25/02/16 04:07:04.834 |     7904 | TEST2
25/02/16 04:07:04.865 |     7860 | TEST3
25/02/16 04:07:04.881 |     7860 | TEST4
...

 In the end I need to get:

25/02/16 04:07:04.834 |     7904 | TEST1
25/02/16 04:07:04.834 |     7904 | TEST2
25/02/16 04:07:04.865 |     7860 | TEST3
25/02/16 04:07:04.881 |     7860 | TEST4

Please assist

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-16-2025 06:20 AM

@michael_vi 

rex mode=sed "s/\*{10,}[\s\S]*?\*{10,}\n//g" Removes everything between (and including) **************************************.

kiran_panchavat_1-1739715530562.png

You can apply the configurations in props.conf and transforms.conf

props.conf

[YOUR_SOURCETYPE]
TRANSFORMS-remove_header = remove_header_content

transforms.conf 

[remove_header_content]
REGEX = \*{10,}[\s\S]*?\*{10,}\n
FORMAT =
DEST_KEY = _raw

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

michael_vi
Path Finder
‎02-17-2025 05:44 AM

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-17-2025 12:35 AM

Hi @michael_vi ,

as @richgalloway and @kiran_panchavat said, you can use regex101 to find the correct regex to cut a part ot your json.

Only one attention point: json format has a well defined structure, so beware in cutting a part of the event, because if you break the json structure, the INDEXED_EXTRACTION=JSON and the spath command will not work correctly, and you have to manually parse all the fields!

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-16-2025 06:20 AM

@michael_vi 

rex mode=sed "s/\*{10,}[\s\S]*?\*{10,}\n//g" Removes everything between (and including) **************************************.

kiran_panchavat_1-1739715530562.png

You can apply the configurations in props.conf and transforms.conf

props.conf

[YOUR_SOURCETYPE]
TRANSFORMS-remove_header = remove_header_content

transforms.conf 

[remove_header_content]
REGEX = \*{10,}[\s\S]*?\*{10,}\n
FORMAT =
DEST_KEY = _raw

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-16-2025 06:16 AM

@michael_vi You can try regex to meet your requirement. 

kiran_panchavat_0-1739715367236.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-16-2025 05:59 AM

What have you tried so far?  How did those results not meet expectations?

Have you experimented with https://regex101.com?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...