Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to change a value at index time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change a value at index time
Hiya, simple question here. I want to change the way a value is represented to me after I index, see the following:
2014-02-21 10:42:57 support-1 root: [ID 702911 daemon.notice] * <WARNING> : target=backed(up
I want "backed(up" to be replaced with "backed-up". Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
If you want to anonymize data at search time then try :
| makeresults
| eval _raw=" 2014-02-21 10:42:57 support-1 root: [ID 702911 daemon.notice] * <WARNING> : target=backed(up"
| rex field=_raw mode=sed "s/(backed)\((up)/\1-\2/g"
at index time then try:
1) Edit or create a copy of props.conf in $SPLUNK_HOME/etc/system/local
Create a props.conf stanza that uses SEDCMD to indicate a sed script:
[<your_sourcetype>]
SEDCMD-backedup = s/(backed)\((up)/\1-\2/g
2) After making changes to props.conf, restart the Splunk instance to enable the configuration.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@JPrictoe
After data is indexed. If you want to change the following underling data only in your query.
Then you can try something like i mentioned below. This won't change the data in index.
| makeresults
| eval target="backed(up"
| replace "backed(up" with "backed-up"
| table target
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shankarananth you are missing in target argument in your replace command, otherwise it will apply to all the available fields.
| makeresults
| eval target="backed(up", someotherfield="backed(up"
| replace "backed(up" with "backed-up"
| table target someotherfield
So correct query is
| makeresults
| eval target="backed(up", someotherfield="backed(up"
| replace "backed(up" with "backed-up" in target
| table target someotherfield
Here is another option with replace() evaluation function
| makeresults
| eval target="backed(up", someotherfield="backed(up"
| eval target=replace(target,"(backed)\((up)","\1\2")
| table target
However, better approach would be to use SEDCMD during index-time as suggested by @mayurr98 and @somesoni2, so that data is indexed as expected, rather than using search time field corrections. As per your question you are looking for index time correction.
You should also check out the feasibility of correcting the logging by application in the first place if the logged text is not as expected. Even if you don't own the code or the app is third party, you can always notify them of such correction with miss-spelled/incorrect logging!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use data masking/anonymization methods listed in below link to replace a string with another.
http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Anonymizedata
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
