Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove blanks in a field in data entry

vprunera
New Member
‎06-16-2022 03:31 AM

Hi,

I'm trying to remove blanks in a field when adding a csv file.  In heavy-forwarder I have tried to use a regex in props.conf and transforms.conf but the data continues to be entered with the blank spaces in the fields.

props.conf:

 

 

[blacklist]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = auto
KV_TRIM_SPACES = true
SEDCMD-blacklist = s/(^|\s)($|\s)//g
TRANSFORMS-blacklist = blacklist_name
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = sourcetype para incorporar los datos de listas negras al índice
disabled = false
pulldown_type = true
FIELD_DELIMITER = ;

 

 

Transforms.conf:

 

 

[blacklist_name]
SOURCE_KEY = field:mltf_blacklist_name
REGEX = ^\s*(\w+)(.*)\s
FORMAT = $1
WRITE_META = true

 

 

I've been going through the documentation and I'm a bit lost with the splunk configurations. Any help will be appreciated.

Thanks.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 12:42 PM

It looks like you've tried every method Splunk makes available.  🙂  Some of the regular expressions are questionable, however.  Try these settings:

[blacklist]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = auto
KV_TRIM_SPACES = true
SEDCMD-blacklist = s/^\s+(.*?)\s+$/\1/g
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = sourcetype para incorporar los datos de listas negras al índice
disabled = false
pulldown_type = true
FIELD_DELIMITER = ;
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...