Splunk Search
Highlighted

How do I edit my "rex mode=sed" search to extract this field?

Builder

Just playing with rex sed a bit here. I had load balancer log which pops out the data center name. Just thought I would SED the event so that it was in key value format, but it doesn't look like Splunk will extract it as a field. Is there an option I am missing or this normal?

tag=mystuff | rex mode=sed "s/MYDCname/datacenter=MYDCname /g"
0 Karma
Highlighted

Re: How do I edit my "rex mode=sed" search to extract this field?

SplunkTrust
SplunkTrust

Providing a sample events and highlighting the value you need to extract as a field will help here. The rex with sed is just to update an existing field value. To create/extract a new field, use regular rex, something like this

tag=mystuff | rex field=yourfield(default is _raw) "(?<datacenter>MYDCname)" 
0 Karma
Highlighted

Re: How do I edit my "rex mode=sed" search to extract this field?

Esteemed Legend

If you are trying to modify it BEFORE it gets indexed, you need to put a SEDCMD in a props.conf on your HF or Indexers:
http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles

0 Karma
Highlighted

Re: How do I edit my "rex mode=sed" search to extract this field?

Motivator

Hi
just escape = character like below

tag=mystuff | rex mode=sed "s/MYDCname/datacenter\=MYDCname /g"

verify that MYDCname string is present in a _raw field

0 Karma