- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me delete the '\' character after a f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me delete the '\' character after a field name?
Hello Friends,
I have the following issue
I have two types of logs: A & B
A & B are from the same Index, have the same source type and same source (wish of the Client)
BUT they differ in two aspects:
1) the one contains the value "cisco_aaa" and the another "cisco_bbb"
2) log A has the structure FIELDNAME=VALUE (for allffileds)
log B has the structure FIELDNAME = VALUE\ (for all fields)
since they belong to the same sourcetype i have no idea how to delete this \ after the value
Ideas:
1)split them in two different sourcetypes, apply regex in props.conf
Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could run a SEDCMD in props.conf that log file name.
Something like this to replace any backslash with nothing.
[source::..path/to/logb/logb.log]
SEDCMD-logbslash = s/\\//g
Then in theory the field extractions for Log A would work
You can test the sed command in search with a
|rex mode=sed
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much.
1) I suppose changing the props.conf will cause changes on all fields?
2)i tried the rex command
index =aaa |rex field=AuthorizationPolicyMatchedRule mode=sed "s/\//g"
I get an error:
Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may have to experiment with the sed string a little to get it to work. I'm no master at it myself.
I tried this on my searches, which worked.
| rex mode=sed field=_raw "s/\\\//g"
Search snippet before sed.
(category:"/Newsletter/Impact\+letter")*
And After.
(category:"/Newsletter/Impact+letter")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide some sample (obfuscated) data for each type of log? If you don't mind actually changing the events, it can be done in props.conf to make them look the same, but it will take seeing actual data to provide you with that answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log A, as you can see some field values contain \ at the end some not:
Sep 17 09:32:55 255.255.255.33 Sep 17 09:32:55 serverABC Log_A INFO OperatingSystem=Windows, EndpointCertainityMetric=50, EndpointIPAddress=x.x.x.22\, EndpointMacAddress=aa:x:x:x:x:aa, RadiusPacketType=AccessRequest\ DestinationIPAddress=x.x.x.44\
Log B, just a normal log
Sep 17 09:32:55 255.255.255.34 Sep 17 09:32:55 serverDEF Log_B INFO SelectedAccessService=XXX, SelectedAuthorizationProfiles=YYY, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed...
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
