Splunk Search

Can you help me delete the '\' character after a field name?

alex_kh
Explorer

Hello Friends,

I have the following issue

I have two types of logs: A & B

A & B are from the same Index, have the same source type and same source (wish of the Client)

BUT they differ in two aspects:
1) the one contains the value "cisco_aaa" and the another "cisco_bbb"
2) log A has the structure FIELDNAME=VALUE (for allffileds)
log B has the structure FIELDNAME = VALUE\ (for all fields)

since they belong to the same sourcetype i have no idea how to delete this \ after the value
Ideas:
1)split them in two different sourcetypes, apply regex in props.conf

Please help

0 Karma

JDukeSplunk
Builder

You could run a SEDCMD in props.conf that log file name.
Something like this to replace any backslash with nothing.

[source::..path/to/logb/logb.log]
SEDCMD-logbslash = s/\\//g

Then in theory the field extractions for Log A would work

You can test the sed command in search with a

|rex mode=sed 

http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex

0 Karma

alex_kh
Explorer

Thank you very much.
1) I suppose changing the props.conf will cause changes on all fields?
2)i tried the rex command
index =aaa |rex field=AuthorizationPolicyMatchedRule mode=sed "s/\//g"
I get an error:
Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

0 Karma

JDukeSplunk
Builder

You may have to experiment with the sed string a little to get it to work. I'm no master at it myself.

I tried this on my searches, which worked.

| rex mode=sed field=_raw "s/\\\//g"

Search snippet before sed.

(category:"/Newsletter/Impact\+letter")*

And After.
(category:"/Newsletter/Impact+letter")

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Can you provide some sample (obfuscated) data for each type of log? If you don't mind actually changing the events, it can be done in props.conf to make them look the same, but it will take seeing actual data to provide you with that answer.

0 Karma

alex_kh
Explorer

Log A, as you can see some field values contain \ at the end some not:
Sep 17 09:32:55 255.255.255.33 Sep 17 09:32:55 serverABC Log_A INFO OperatingSystem=Windows, EndpointCertainityMetric=50, EndpointIPAddress=x.x.x.22\, EndpointMacAddress=aa:x:x:x:x:aa, RadiusPacketType=AccessRequest\ DestinationIPAddress=x.x.x.44\

Log B, just a normal log

Sep 17 09:32:55 255.255.255.34 Sep 17 09:32:55 serverDEF Log_B INFO SelectedAccessService=XXX, SelectedAuthorizationProfiles=YYY, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed...

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!