Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove blanks in a field in data entry

vprunera
New Member
‎06-16-2022 03:31 AM

Hi,

I'm trying to remove blanks in a field when adding a csv file.  In heavy-forwarder I have tried to use a regex in props.conf and transforms.conf but the data continues to be entered with the blank spaces in the fields.

props.conf:

 

 

[blacklist]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = auto
KV_TRIM_SPACES = true
SEDCMD-blacklist = s/(^|\s)($|\s)//g
TRANSFORMS-blacklist = blacklist_name
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = sourcetype para incorporar los datos de listas negras al índice
disabled = false
pulldown_type = true
FIELD_DELIMITER = ;

 

 

Transforms.conf:

 

 

[blacklist_name]
SOURCE_KEY = field:mltf_blacklist_name
REGEX = ^\s*(\w+)(.*)\s
FORMAT = $1
WRITE_META = true

 

 

I've been going through the documentation and I'm a bit lost with the splunk configurations. Any help will be appreciated.

Thanks.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 12:42 PM

It looks like you've tried every method Splunk makes available.  🙂  Some of the regular expressions are questionable, however.  Try these settings:

[blacklist]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = auto
KV_TRIM_SPACES = true
SEDCMD-blacklist = s/^\s+(.*?)\s+$/\1/g
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = sourcetype para incorporar los datos de listas negras al índice
disabled = false
pulldown_type = true
FIELD_DELIMITER = ;
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...