Splunk Search

How to remove extra characters from an indexed event?

Bellamar10
New Member

Good afternoon

Is there a way to remove extra characters (\xAF) from already indexed events such as this one:

20182018--0505--2222  1111::3939::1818,,937937 [ [4747] ] ERRORERROR  -- 
  ErrorError  MessageMessage::  OneOne  oror  moremore  errorserrors  occurredoccurred..
 \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Stack Trace: 

Thank you in advance

0 Karma
1 Solution

MuS
Legend

Hi Bellamar10,

try this:

| makeresults 
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR -- 
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF" 
| rex mode=sed field=foo "s/\\\xAF//g"

The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF from your search result. But remember the characters will still be in the _raw event 😉

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi Bellamar10,

try this:

| makeresults 
| eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR -- 
ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred..
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF
Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib
\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF" 
| rex mode=sed field=foo "s/\\\xAF//g"

The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF from your search result. But remember the characters will still be in the _raw event 😉

Hope this helps ...

cheers, MuS

xpac
SplunkTrust
SplunkTrust

Just to add on this - because you explicitely asked for "already indexed events" - you can do this like shown above, but it will not be persistent. Data, once indexed, can not be changed afterwards (permanently), only in every search again and again.

0 Karma

MuS
Legend

HeHE, did you read my answer to the end? I already mentioned that in my answer 😉

0 Karma

xpac
SplunkTrust
SplunkTrust

Hehe, I read that, but I wasnt clear to me that you meant that... which might be a non-native-English issue with me, sorry 😉

MuS
Legend

let's call it lost in translation from swiss german - german - english at the writer side and english - german on the reader side 🙂

Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...