Hello all,
THis is probably very easy or impossible in splunk, but I cant find any sufficient answers.
I am trying to remove a single property from JSOn event(during parsing or I dont want it at all), e.g. I want remove "country": property and everything in it in every event which will come to splunk. Is something like that possible?
I have tried some SEDCM in props.conf but no succes. Do you have any ideas? Thank you very much.
{ "random": 23, "random float": 28.173, "bool": false, "date": "1990-08-31", "regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world", "enum": "generator", "firstname": "Latisha", "lastname": "Alexandr", "city": "Tiraspol", "country": "Algeria", "countryCode": "MC", "email uses current data": "Latisha.Alexandr@gmail.com", "email from expression": "Latisha.Alexandr@yopmail.com", "array": [ "Dyann", "Christal", "Renie", "Tilly", "Margette" ], "array of objects": [ { "index": 0, "index start at 5": 5 }, { "index": 1, "index start at 5": 6 }, { "index": 2, "index start at 5": 7 } ], "Raquela": { "age": 50 } }
Try this SEDCMD in your props.conf.
SEDCMD-a=s/,\s(\"country\": \"\w+[^,])//g
Thanks
KV
▄︻̷̿┻̿═━一 ?
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
My props.conf :
[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove="country.*$
Try this SEDCMD in your props.conf.
SEDCMD-a=s/,\s(\"country\": \"\w+[^,])//g
Thanks
KV
▄︻̷̿┻̿═━一 ?
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Hello!
Thank you so much for your help.
I can see it works for you, but is there something more what have you changed? Because it still not working for me.
I am testing it in standalone Splunk enterprise. I have already reinstalled splunk and I am creating the props.conf just in the etc/system/local/propos.conf. I am trying to keep it easy as possible.
I choose add data and I import my json file with k8s sourcetype. Would you have any idea why this SEDCMD is not working in my case? I restart/refresh splunk every time
Thank you for your time
[k8s]
INDEXED_EXTRACTIONS = JSON
SEDCMD-a = s/,\s(\"country\": \"\w+[^,])//g
THank you, It was really matter of correct regex. For me works this :
s/"country": "Algeria",//
But anyway I need to remove everything behind it so I will use your suggestion as well. Thank you very much.