Good afternoon
Is there a way to remove extra characters (\xAF) from already indexed events such as this one:
20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR --
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Stack Trace:
Thank you in advance
Hi Bellamar10,
try this:
| makeresults
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR --
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF"
| rex mode=sed field=foo "s/\\\xAF//g"
The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF
from your search result. But remember the characters will still be in the _raw
event 😉
Hope this helps ...
cheers, MuS
Hi Bellamar10,
try this:
| makeresults
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR --
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF"
| rex mode=sed field=foo "s/\\\xAF//g"
The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF
from your search result. But remember the characters will still be in the _raw
event 😉
Hope this helps ...
cheers, MuS
Just to add on this - because you explicitely asked for "already indexed events" - you can do this like shown above, but it will not be persistent. Data, once indexed, can not be changed afterwards (permanently), only in every search again and again.
HeHE, did you read my answer to the end? I already mentioned that in my answer 😉
Hehe, I read that, but I wasnt clear to me that you meant that... which might be a non-native-English issue with me, sorry 😉
let's call it lost in translation from swiss german - german - english
at the writer side and english - german
on the reader side 🙂