Solved: Re: Delete a search-time field after extraction

_smp_ · ‎02-24-2018

I have a set of logs that require a pretty complex set of regexes to parse. The data has about 8 columns separated by commas, but the values have commas all over the place too so it's not a simple CSV extraction. To make it worse, each column has a bunch of different multivalue field/value pairs with spaces, double-quotes, commas, all sorts of stuff.

In any case, I have successfully extracted the columns into fields with an EXTRACT in props. Then I use that field as the SOURCE_KEY in transforms.conf to do additional extractions - schematically like what I have below.

The data in the COLUMN3 field is not meaningful to the user - it is only used as a simpler means to extract other fields. Therefore I don't want the COLUMN3 field to remain as a search-time extraction for the user. Is there a way to delete the COLUMN3 field after all the fields have been extracted from it?

props.conf
[logs]
EXTRACT-COLUMN1,COLUMN2,COLUMN3 = ^(.*?),(.*?),(.*?)$
REPORT-field_from_COLUMN3 = field_from_COLUMN3

transforms.conf
[field_from_COLUMN3]
SOURCE_KEY = COLUMN3
REGEX = Field=(?P<Field>.*)

martin_mueller · ‎02-24-2018

You should be able to define a calculated field EVAL-COLUMN3 = null() that overwrites the value after the transforms ran: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Searchtimeoperationssequence

View solution in original post

martin_mueller · ‎02-24-2018

You should be able to define a calculated field EVAL-COLUMN3 = null() that overwrites the value after the transforms ran: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Searchtimeoperationssequence

_smp_ · ‎02-24-2018

Brilliant! Thanks!

Delete a search-time field after extraction

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash