How to remove blanks in a field in data entry

vprunera · ‎06-16-2022

Hi,

I'm trying to remove blanks in a field when adding a csv file. In heavy-forwarder I have tried to use a regex in props.conf and transforms.conf but the data continues to be entered with the blank spaces in the fields.

props.conf:

[blacklist]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = auto
KV_TRIM_SPACES = true
SEDCMD-blacklist = s/(^|\s)($|\s)//g
TRANSFORMS-blacklist = blacklist_name
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = sourcetype para incorporar los datos de listas negras al índice
disabled = false
pulldown_type = true
FIELD_DELIMITER = ;

Transforms.conf:

[blacklist_name]
SOURCE_KEY = field:mltf_blacklist_name
REGEX = ^\s*(\w+)(.*)\s
FORMAT = $1
WRITE_META = true

I've been going through the documentation and I'm a bit lost with the splunk configurations. Any help will be appreciated.

Thanks.

richgalloway · ‎06-27-2022

It looks like you've tried every method Splunk makes available. 🙂 Some of the regular expressions are questionable, however. Try these settings:

[blacklist]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = auto
KV_TRIM_SPACES = true
SEDCMD-blacklist = s/^\s+(.*?)\s+$/\1/g
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = sourcetype para incorporar los datos de listas negras al índice
disabled = false
pulldown_type = true
FIELD_DELIMITER = ;

---
If this reply helps you, Karma would be appreciated.

How to remove blanks in a field in data entry

other

regex

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio