- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field manipulation using SED
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am testing using Splunk to index a minecraft server, but have some problem with user name.
Lines look like this:
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=§4BirksX§r world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=Pardur1 world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Since field names do confirm to some=data they are automatically extracted.
For some reason some user has §4 in front of name and §r after it.
I have temporary solved this by using SED like this:
source=minecraft | rex mode=sed field=player "s/(§4|§r)//g" | top player
This works fine.
But I would like to remove the data from the indexed data, so I tried this:
props.conf
[minecraft]
SED-remove_data = "s/(§4|§r)//g"
and
props.conf
[minecraft]
SED-remove_data = s/(§4|§r)//g
But none of them works.
What do I do wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:
[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:
[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The correct attribute name is SEDCMD in props.conf.
Also, hope you're adding this props.conf on heavy forwarder/indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will test it out.
I do only have one Splunk server, no forwarder.
Edit.
Dit not work on my server.
[minecraft]
SEDCMD-remove_data = "s/(§4|§r)//g"
Edit2.
It seem to be that the § symbol messes things up.
After removing the " in SEDCMD command, it has no more player, but changed it to playe and have removed the 4 from the time, so it get like this:
playe=§BirksX§r
I can see in nano that the § shows like a strange character, but ok using cat.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
