Some events flow into the Splunk instance via syslog sockets.
For a brief period of time, the sourcetypes that came in via syslog were prepended with the standard syslog code like <142> (so the line would read <142>May 6 ...). This was only for a few days.
Is there a way I can do a built-in search-time extraction to mask the <\d+> prepended to these sourcetypes so that 1. It is not seen and 2. All of the rest of the props/transforms extractions will work as if it wasn't there?
Note: I do not mean to use something like rex in the search-command, but rather, make the change in the splunk configs to mask these characters from any search results.
I recommend against it, but you could do:
[mysourcetype] EXTRACT-out = (?s)^(?:\<\d+\>)?(?<altraw>.*) FIELDALIAS-raw = altraw as _raw
Update: Oh, but FIELDALIAS runs after all other extractions, so no the other extractions won't work as if it wasn't there. And as you've no doubt found, you can't overwrite
_raw with an
If sensitive info were accidentally indexed (e.g. PII like SSN#) as part of other logdata that you didn't want any Splunk users to see, would the only solution be to delete, edit(raw) and then reIndex?
You can use the
| delete command to prevent specific events from being returned in search. (Note it does not reclaim disk space or remove the data from the disk, but simply makes it unretrieveable via Splunk.) Yes, then you can edit the raw data (or set up a
SEDCMD to edit the data as is comes in and reindex.