Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field manipulation using SED

lakromani
Builder
‎03-04-2016 02:43 PM

I am testing using Splunk to index a minecraft server, but have some problem with user name.
Lines look like this:

Fri Mar 04 22:24:58 CET 2016 action=block_broken player=§4BirksX§r world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=Pardur1 world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS

Since field names do confirm to some=data they are automatically extracted.
For some reason some user has §4 in front of name and §r after it.

I have temporary solved this by using SED like this:

source=minecraft | rex mode=sed field=player "s/(§4|§r)//g" | top player

This works fine.
But I would like to remove the data from the indexed data, so I tried this:

props.conf
[minecraft]
SED-remove_data = "s/(§4|§r)//g"

and 

props.conf
[minecraft]
SED-remove_data = s/(§4|§r)//g

But none of them works.
What do I do wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakromani
Builder
‎03-05-2016 12:08 AM

Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:

[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakromani
Builder
‎03-05-2016 12:08 AM

Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:

[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎03-04-2016 03:10 PM

The correct attribute name is SEDCMD in props.conf.

Also, hope you're adding this props.conf on heavy forwarder/indexer

Reply
Solved! Jump to solution

lakromani
Builder
‎03-04-2016 04:00 PM

Will test it out.
I do only have one Splunk server, no forwarder.

Edit.
Dit not work on my server.

[minecraft]
SEDCMD-remove_data = "s/(§4|§r)//g"

Edit2.
It seem to be that the § symbol messes things up.
After removing the " in SEDCMD command, it has no more player, but changed it to playe and have removed the 4 from the time, so it get like this:

playe=§BirksX§r

I can see in nano that the § shows like a strange character, but ok using cat.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...