Splunk Search

Escape literal $ at FORMAT of transforms.conf

Assaf_Katz
Loves-to-Learn

Hi,

I have the following transforms.conf:

[REPLACEMENT_COST]
CLEAN_KEYS = 0
FORMAT = $1"REPLACEMENT_COST2":"$2$s"$3
REGEX = (.*)"REPLACEMENT_COST":([^,]+)(.*)
#SOURCE_KEY = REPLACEMENT_COST
DEST_KEY = _raw



I had to write s in the FORMAT field right after $, since otherwise, it does nothing. Is there any option to escape the dollar sign in this field?

The relevant props.conf is:

[json_multiline]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
LINE_BREAKER = ([\r\n]+)
MAX_DAYS_AGO = 10000
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = LAST_UPDATE
TIME_FORMAT = %m/%e/%y %H:%M
category = Custom
pulldown_type = 1
disabled = false
KV_MODE = none
EVAL-DESCRIPTION = replace(DESCRIPTION, "([A-Z])", " \1")
EVAL-SPECIAL_FEATURES = split(replace(SPECIAL_FEATURES, "([A-Z])", " \1"), ",")
LOOKUP-LANGUAGE = LANGUAGE.csv LANGUAGE_ID
TRANSFORMS-REPLACEMENT = REPLACEMENT_COST



Thanks

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

usually character \ has used for escape character. I haven't try if this works also in your case, but you could try it like "\$" in your transforms.conf and see if it works or not.

r. Ismo

0 Karma

Assaf_Katz
Loves-to-Learn

Hi,

Thank you, but I tried and it doesn't work.

Thanks

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...