Splunk Search

Can you help me delete the '\' character after a field name?


Hello Friends,

I have the following issue

I have two types of logs: A & B

A & B are from the same Index, have the same source type and same source (wish of the Client)

BUT they differ in two aspects:
1) the one contains the value "cisco_aaa" and the another "cisco_bbb"
2) log A has the structure FIELDNAME=VALUE (for allffileds)
log B has the structure FIELDNAME = VALUE\ (for all fields)

since they belong to the same sourcetype i have no idea how to delete this \ after the value
1)split them in two different sourcetypes, apply regex in props.conf

Please help

0 Karma


You could run a SEDCMD in props.conf that log file name.
Something like this to replace any backslash with nothing.

SEDCMD-logbslash = s/\\//g

Then in theory the field extractions for Log A would work

You can test the sed command in search with a

|rex mode=sed 


0 Karma


Thank you very much.
1) I suppose changing the props.conf will cause changes on all fields?
2)i tried the rex command
index =aaa |rex field=AuthorizationPolicyMatchedRule mode=sed "s/\//g"
I get an error:
Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

0 Karma


You may have to experiment with the sed string a little to get it to work. I'm no master at it myself.

I tried this on my searches, which worked.

| rex mode=sed field=_raw "s/\\\//g"

Search snippet before sed.


And After.

0 Karma


Can you provide some sample (obfuscated) data for each type of log? If you don't mind actually changing the events, it can be done in props.conf to make them look the same, but it will take seeing actual data to provide you with that answer.

0 Karma


Log A, as you can see some field values contain \ at the end some not:
Sep 17 09:32:55 Sep 17 09:32:55 serverABC Log_A INFO OperatingSystem=Windows, EndpointCertainityMetric=50, EndpointIPAddress=x.x.x.22\, EndpointMacAddress=aa:x:x:x:x:aa, RadiusPacketType=AccessRequest\ DestinationIPAddress=x.x.x.44\

Log B, just a normal log

Sep 17 09:32:55 Sep 17 09:32:55 serverDEF Log_B INFO SelectedAccessService=XXX, SelectedAuthorizationProfiles=YYY, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed...

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>