Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hide _raw instead of using a sed expression to trim _raw?

Bleepie
Communicator
‎10-06-2021 04:07 AM

Dear Splunk community,

I am using rex to extract data from _raw and put it into new fields like so:

 

 

[10/5/21 23:02:25:134 CEST] 00000063 SystemOut     O 05 Oct 2021 23:02:25:133 [INFO] [CRONSERVER] [CID-MXSCRIPT-1673979] SCRIPTNAME - 00 - Function:httpDiscovery(POST, https, host, /call, BASE64ENC(USER:PASSWORD)) Profile = MYPROFILE - Scope = MYHOSTNAME - End - Result(strResponseStatus, stResponseReason, strResponseData)=([200], [OK], [{"message":"SUCCESS"}{"runId":"2021100523022485"}
])
| rex field=_raw "Scope = (?<fqdn>\S*)"
| rex field=_raw "Profile = (?<profile>\S*)"

 

 

This will create new fields and also show _raw. I don't want _raw to show, but if I use this:

 

 

| table _time

 

 

Instead of this:

 

 

| table _time, _raw,

 

 

The fields that I create will no longer show, so I have to include _raw aswell. I can use mode=sed when using rex to delete data from _raw and for example only keep profile and then rename _raw to profile, but I don't have any experience using sed and I would prefer a easier way.

My question:

Is it possible to hide _raw and still use rex on _raw to create new fields?

 

Thanks.

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 04:41 AM

It all depends on the order of your commands.

<search> | rex | table

Is a different beast from

<search> | table | rex

So I'd extract the fields first then either do a table over your fields

<search> | rex for field1 | rex for field2 | ... | table _time field1 field2 ...

Or instead of table you might just remove a _raw field

| fields - _raw

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 04:41 AM

It all depends on the order of your commands.

<search> | rex | table

Is a different beast from

<search> | table | rex

So I'd extract the fields first then either do a table over your fields

<search> | rex for field1 | rex for field2 | ... | table _time field1 field2 ...

Or instead of table you might just remove a _raw field

| fields - _raw
0 Karma
Reply
Solved! Jump to solution

Bleepie
Communicator
‎10-06-2021 04:53 AM

This never came up in my mind, thanks!


I used

fields - _raw

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...