Splunk Search

How to transform a string and ignore all tagged parts like {example}

Motivator

Hi,

let's say we have a string with various tagged entries:

"This {field1} is {delete_this} the example {tagged_element}"

Is it possible to ignore all tagged elements, no matter how many of them exist? Here the result would be

"This is the example"

Thanks in advance
Heinz

0 Karma
1 Solution

Contributor

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

View solution in original post

Motivator

Hi,

a short follow up question regarding this topic 🙂

How to only keep the tagged elements?

Best regards
Heinz

0 Karma

Contributor

Hello Heinz,

yes this is possible.
Where do you want to do this? before indexing?

Than you could do it in your props.conf with an regex like this example:

SEDCMD-ip = s/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/\1xxx/g

This replaces the last octet in an IP adress.

Or when you want to do it at searchtime you could do it in your Query like this

… | eval callingPartyNumber = replace(callingPartyNumber, "(\d+)(\d{3})", "xxxxx\2")

Output in both ways is 192.168.2.xxx

So you could edit the regexes to fit your needs and replace the not wanted strings with an empty string.

View solution in original post

Motivator

Thanks for your post. I would like to do it at search time. Unfortunately I'm not very familiar with regex to adjust the example to my needs

0 Karma

Contributor

could you give me an example dataline? Than i could try it.

0 Karma

Motivator

I created a testcase like this:

index=main| head 1
| eval field="This {field1} is {deletethis} the example {taggedelement}"
| table field

0 Karma

Contributor

It might not be the most beutiful regex but it works with your example...

index=_internal| head 1
| eval field="This {field1} is {delete_this} the example {tagged_element}"
| eval field=replace(field, "{([^}]+)}|([\S])", "\2")
| table field
0 Karma

Motivator

This works, thanks a lot!

0 Karma

Motivator

I would assume something like {.*?}( |$)

0 Karma