Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

cut a specific phrase in props.conf

GSNRMUVW
Loves-to-Learn
Monday

Hi Community,

how to cut...

, "q": 0, "user": "system.user.admin"

...from...

{ "val": 0, "ts": 1770058561014, "q": 0, "user": "system.user.admin" }

...with SEDCMD in props.conf?

This...

[host::iobroker]
SEDCMD-remove = s/^, "q": 0, "user": "system.user.admin"$//g

...doesn´t work!

Thank you in advance for your help - Markus

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Monday

Unfortunately, you're trying to manipulate structured data with plain regexes. It might work if your jsons are always formatted the same way (which the jsons don't have to be since they rely on logical structure instead of strict formatting or fields order).

If your SEDCMD doesn't work, you're probably not matching the part right with your regex. Maybe it's about other whitespaces than you expect. Or maybe there's another number of those whitespaces.

Check your regex on your real data using https://regex101.com/ - it will show you if it matches or not and you'll be able to debug the regex and see where it fails if it does.

0 Karma
Reply

GSNRMUVW
Loves-to-Learn
Monday

Thanks for your suggestion.
I've already tried egex101, but the one that was successfully tested...

/, "q": 0, "user": "system.user.admin"/g

...doesn't work either.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Monday

OK. That suggests that your SEDCMD is not invoked at all (you could try something obviously right like

SEDCMD-test = s/a/z/g

to verify.

If it indeed doesn't work, that means that either:

1) It's defined in a wrong stanza (a typical mistake here would be attaching it to a host value which is not provided at the beginning of the ingestion pipeline but rather comes from a rewrite in the middle of it).

2) it's set on a wrong component (either on a UF or a heavy component - indexer or HF - which is not the first one in event's path - like an indexer behind a HF).

0 Karma
Reply

GSNRMUVW
Loves-to-Learn
Monday

I can rule out both, as other manipulations work.
However, I was happy to carry out your test with the following result:

{ "vzl": 0, "ts": 1770063182265, "q": 0, "user": "system.user.zdmin" }
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
Monday

You have the right idea, but that regex doesn't work because it's told to expect , "q" at the beginning of the event, which doesn't match the data.  Try

SEDCMD-remove = s/, "q": 0, "user": "system.user.admin"//g

Anchor tags (^ and $) are not needed as often as commonly thought.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

GSNRMUVW
Loves-to-Learn
Monday

Thank you for your support... but unfortunately, this suggestion does not work, and the entire log continues to be indexed...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...