How edit props.conf to replace characters in a log...

arjangoos · ‎12-05-2016

Log:

Dec 5 15:25:48 host : app='smtp', name='Email Status', policy_name='', dvc_host='', virtual_host='host', event_id=8888, reason_id=11, direction=2, src_ip='xx.xx.xx.xxx', src_host='', dest_ip='xx.xx.xx.xx', dest_host='', rhdr_ip='', is_primary_action=, scanner='', action='', status='Email Delivered', sender=<x.aaaaa@boa.bla.nl>, recipient='<ff.aa@aaa.com>', msgid='jkjkjkkljdfijijiji', orig_msgid='', nrcpts=1, relay='', subject='subject blaat hoe is het', size=34343, attachments='', number_attachments=0, virus_name='', file_name='', spamscore=, spamthreshold=, spamrules='', URL='', contentrule='[]', content_terms='[]', tz='CET', tz_offset='+0100', dlpfile='', dlprules='', dlpclassification='', dlpfileuploaded='', dlpfiledigest='', dlpfilesize='', url_filter_categorization='', ts_reputation_score=, ts_geo_location='', ts_ip_rep_status=, ts_hash_length=, ts_lookup_hash=''

Now we want the sender without <> and the recipient without '<>'. I think we have to do this in the props.conf with a regex but how?? Can someone help us?

sundareshr · ‎12-05-2016

You can create a calculate field to remove < & >. Use this for the eval function replace(sender, "\<|\>", "") You can create one for sender and a different one for recipient

https://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/CreatecalculatedfieldswithSplunkWeb

How edit props.conf to replace characters in a log?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!