Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove property from json event

Bartlander12
Explorer
‎07-23-2021 01:52 AM

Hello all,

THis is probably very easy or impossible in splunk, but I cant find any sufficient answers.

I am trying to remove a single property from JSOn event(during parsing or I dont want it at all), e.g. I want remove "country":  property and everything in it in every event which will come to splunk. Is something like that possible? 

I have tried some SEDCM in props.conf but no succes. Do you have any ideas? Thank you very much.

 

{ "random": 23, "random float": 28.173, "bool": false, "date": "1990-08-31", "regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world", "enum": "generator", "firstname": "Latisha", "lastname": "Alexandr", "city": "Tiraspol", "country": "Algeria", "countryCode": "MC", "email uses current data": "Latisha.Alexandr@gmail.com", "email from expression": "Latisha.Alexandr@yopmail.com", "array": [ "Dyann", "Christal", "Renie", "Tilly", "Margette" ], "array of objects": [ { "index": 0, "index start at 5": 5 }, { "index": 1, "index start at 5": 6 }, { "index": 2, "index start at 5": 7 } ], "Raquela": { "age": 50 } }

json_test.PNG

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-23-2021 04:02 AM

@Bartlander12 

Try this SEDCMD in your props.conf.

SEDCMD-a=s/,\s(\"country\": \"\w+[^,])//g

 

 

Screenshot 2021-07-23 at 4.32.44 PM.png

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

View solution in original post

Reply
Solved! Jump to solution

Bartlander12
Explorer
‎07-23-2021 02:38 AM

My props.conf : 

[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove="country.*$

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-23-2021 04:02 AM

@Bartlander12 

Try this SEDCMD in your props.conf.

SEDCMD-a=s/,\s(\"country\": \"\w+[^,])//g

 

 

Screenshot 2021-07-23 at 4.32.44 PM.png

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

Reply
Solved! Jump to solution

Bartlander12
Explorer
‎07-23-2021 05:59 AM

Hello!

Thank you so much for your help.

I can see it works for you, but is there something more what have you changed? Because it still not working for me.

 

I am testing it in standalone Splunk enterprise. I have already reinstalled splunk and I am creating the props.conf just in the etc/system/local/propos.conf. I am trying to keep it easy as possible.

I choose add data and I import my json file with k8s sourcetype. Would you have any idea why this SEDCMD is not working in my case?  I restart/refresh splunk every time

Thank you for your time

[k8s]
INDEXED_EXTRACTIONS = JSON
SEDCMD-a = s/,\s(\"country\": \"\w+[^,])//g

0 Karma
Reply
Solved! Jump to solution

Bartlander12
Explorer
‎07-23-2021 07:27 AM

THank you, It was really matter of correct regex. For me works this : 

s/"country": "Algeria",//

But anyway I need to remove everything behind it so I will use your suggestion as well. Thank you very much. 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...