Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex in transform.conf delete text in the middle

Alwiinie
New Member
‎04-24-2017 02:18 AM

I'm having some trouble to delete the text in "plugin_set".

Sample Incoming data:

 {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "10026;10111;10150;10170;10183;", "pokemon": "somsestuff3"}

Sample what I want:

 {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "", "pokemon": "somsestuff3"}

This the closest that I got:

REGEX = (.*)("plugin_set".*\,)
DEST_KEY = _raw
FORMAT = $1 nullQueue

I also tried this, but that showed everything.

REGEX = (.*)("plugin_set".*\,)(.*)
DEST_KEY = _raw
FORMAT = $1 nullQueue $3

What is the right regex string for deleting the text in "plugin_set"?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎04-24-2017 01:41 PM

Try this in transforms.conf at indexer/heavy forwarder (assuming you're taking care of props.conf changes already)

REGEX = ^(.+\"plugin_set\"\:\s*\")([^\"]+)(\".+)
DEST_KEY = _raw
FORMAT = $1$3
0 Karma
Reply

Alwiinie
New Member
‎04-25-2017 12:04 AM

It doesn't work this also showed everything. I don't know if need to change the props.conf more then I now have.
This what I currently have:
tansform.conf:
[removepluginset]
REGEX = ^(.+\"plugin_set\":\s*\")([^\"]+)(\".+)
DEST_KEY = _raw
FORMAT = $1$3

props.conf
[host::hostname]
TRANSFORMS-set = removepluginset

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 06:02 AM

Try this.

REGEX = (.*"plugin_set":\s")([^,]+)(",.*)
DEST_KEY = _raw
FORMAT = $1$3
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alwiinie
New Member
‎04-24-2017 07:34 AM

It doesn't work, it just shows the all the data.

Btw in the props.conf I use this

TRANSFORMS-set = removepluginset
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 12:13 PM

Are you restarting Splunk after each change to the config files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alwiinie
New Member
‎04-24-2017 11:54 PM

Yes, after every change in transform.conf I restart Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...