Hiya, simple question here. I want to change the way a value is represented to me after I index, see the following:
2014-02-21 10:42:57 support-1 root: [ID 702911 daemon.notice] * <WARNING> : target=backed(up
I want "backed(up" to be replaced with "backed-up". Any suggestions?
Try this :
If you want to anonymize data at search time then try :
| makeresults
| eval _raw=" 2014-02-21 10:42:57 support-1 root: [ID 702911 daemon.notice] * <WARNING> : target=backed(up"
| rex field=_raw mode=sed "s/(backed)\((up)/\1-\2/g"
at index time then try:
1) Edit or create a copy of props.conf in $SPLUNK_HOME/etc/system/local
Create a props.conf stanza that uses SEDCMD
to indicate a sed script:
[<your_sourcetype>]
SEDCMD-backedup = s/(backed)\((up)/\1-\2/g
2) After making changes to props.conf, restart the Splunk instance to enable the configuration.
let me know if this helps!
@JPrictoe
After data is indexed. If you want to change the following underling data only in your query.
Then you can try something like i mentioned below. This won't change the data in index.
| makeresults
| eval target="backed(up"
| replace "backed(up" with "backed-up"
| table target
@shankarananth you are missing in target
argument in your replace command, otherwise it will apply to all the available fields.
| makeresults
| eval target="backed(up", someotherfield="backed(up"
| replace "backed(up" with "backed-up"
| table target someotherfield
So correct query is
| makeresults
| eval target="backed(up", someotherfield="backed(up"
| replace "backed(up" with "backed-up" in target
| table target someotherfield
Here is another option with replace()
evaluation function
| makeresults
| eval target="backed(up", someotherfield="backed(up"
| eval target=replace(target,"(backed)\((up)","\1\2")
| table target
However, better approach would be to use SEDCMD during index-time as suggested by @mayurr98 and @somesoni2, so that data is indexed as expected, rather than using search time field corrections. As per your question you are looking for index time correction.
You should also check out the feasibility of correcting the logging by application in the first place if the logged text is not as expected. Even if you don't own the code or the app is third party, you can always notify them of such correction with miss-spelled/incorrect logging!
You can use data masking/anonymization methods listed in below link to replace a string with another.
http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Anonymizedata