Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Source Transform Replace '/' with '_'

ekremikizoglu
Explorer
‎12-28-2016 03:51 AM

Hi,

I created props and transforms files to put source value of file in raw event. I am sending these event to third party app. I am using heavy forwarder. But ı need to replace "/",":"(non-alphanumeric) with "_" . Is there any way to replace char in source field with transforms.conf ? I saw CLEAN_KEYS but this attribute is only valid for search-time field extractions.

Props:
[mysource]
DATETIME_CONFIG = CURRENT
category = Custom
pulldown_type = 1
TRANSFORMS-EYI_Transform = e_source
CHARSET = AUTO

[e_source]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(.*)$
FORMAT = filepath$1filepath$0
DEST_KEY = _raw

Event look like :
filepathD:\inetpub\LocalUser\MYFILE.TXTfilepath\xE1\xEC\xEB\x8C\x00\x00\x8C\x00\x0030.09.201601.01.0001x \x00NNYNNSAYX SAYX 2016-12-06-11.29.05.4154172016-12-06-13.09.42.541869\x00\x00\x00

Event should look like :
filepathD__inetpub_LocalUser_MYFILE.TXTfilepath\xE1\xEC\xEB\x8C\x00\x00\x8C\x00\x0030.09.201601.01.0001x \x00NNYNNSAYX SAYX 2016-12-06-11.29.05.4154172016-12-06-13.09.42.541869\x00\x00\x00

0 Karma
Reply

lguinn2
Legend
‎12-28-2016 01:52 PM

First - exactly what are you trying to do? Your transformation appears to attempt to manipulate both the source and the raw data.

If you are trying to change the actual source field for an event: there is no way to search-and-replace within the source field at indexing time.

If you are trying to change the characters in a file name that appears within the raw data of an event: you can do this. The rest of this answer explains how:

props.conf

[mysource]
DATETIME_CONFIG = CURRENT
category = Custom
pulldown_type = 1
CHARSET = AUTO
SEDCMD-abc = y/\/\:/__/

For more information about the SEDCMD, take a look at the Anonymize Data page in the documentation.

0 Karma
Reply

ekremikizoglu
Explorer
‎12-28-2016 10:42 PM

Hi,

thanks for your reply. I am sending these logs to 3rd application. So It does not know about data's file name. So I added source field to raw data to understand which file's data is.

I think your setting transforms all raw data . But i want to manupulate just part of raw data which is filename area.

Event look like :
filepathD:\inetpub\LocalUser\MYFILE.TXTfilepathrest of my raw data \0 bla bla:111

Event should look like :
filepathD__inetpub_LocalUser_MYFILE.TXTfilepathrest of my raw data \0 bla bla:111

Event should not look like :
filepathD__inetpub_LocalUser_MYFILE.TXTfilepathrest of my raw data _0 bla bla_111

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top