Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field manipulation using SED
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am testing using Splunk to index a minecraft server, but have some problem with user name.
Lines look like this:
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=§4BirksX§r world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=Pardur1 world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Since field names do confirm to some=data they are automatically extracted.
For some reason some user has §4 in front of name and §r after it.
I have temporary solved this by using SED like this:
source=minecraft | rex mode=sed field=player "s/(§4|§r)//g" | top player
This works fine.
But I would like to remove the data from the indexed data, so I tried this:
props.conf
[minecraft]
SED-remove_data = "s/(§4|§r)//g"
and
props.conf
[minecraft]
SED-remove_data = s/(§4|§r)//g
But none of them works.
What do I do wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:
[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:
[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The correct attribute name is SEDCMD in props.conf.
Also, hope you're adding this props.conf on heavy forwarder/indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will test it out.
I do only have one Splunk server, no forwarder.
Edit.
Dit not work on my server.
[minecraft]
SEDCMD-remove_data = "s/(§4|§r)//g"
Edit2.
It seem to be that the § symbol messes things up.
After removing the " in SEDCMD command, it has no more player, but changed it to playe and have removed the 4 from the time, so it get like this:
playe=§BirksX§r
I can see in nano that the § shows like a strange character, but ok using cat.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
