Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex in transform.conf delete text in the middle

Alwiinie
New Member
‎04-24-2017 02:18 AM

I'm having some trouble to delete the text in "plugin_set".

Sample Incoming data:

 {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "10026;10111;10150;10170;10183;", "pokemon": "somsestuff3"}

Sample what I want:

 {"plugin_family": "somestuff", "policy": "somsestuff2", "plugin_set": "", "pokemon": "somsestuff3"}

This the closest that I got:

REGEX = (.*)("plugin_set".*\,)
DEST_KEY = _raw
FORMAT = $1 nullQueue

I also tried this, but that showed everything.

REGEX = (.*)("plugin_set".*\,)(.*)
DEST_KEY = _raw
FORMAT = $1 nullQueue $3

What is the right regex string for deleting the text in "plugin_set"?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎04-24-2017 01:41 PM

Try this in transforms.conf at indexer/heavy forwarder (assuming you're taking care of props.conf changes already)

REGEX = ^(.+\"plugin_set\"\:\s*\")([^\"]+)(\".+)
DEST_KEY = _raw
FORMAT = $1$3
0 Karma
Reply

Alwiinie
New Member
‎04-25-2017 12:04 AM

It doesn't work this also showed everything. I don't know if need to change the props.conf more then I now have.
This what I currently have:
tansform.conf:
[removepluginset]
REGEX = ^(.+\"plugin_set\":\s*\")([^\"]+)(\".+)
DEST_KEY = _raw
FORMAT = $1$3

props.conf
[host::hostname]
TRANSFORMS-set = removepluginset

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 06:02 AM

Try this.

REGEX = (.*"plugin_set":\s")([^,]+)(",.*)
DEST_KEY = _raw
FORMAT = $1$3
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alwiinie
New Member
‎04-24-2017 07:34 AM

It doesn't work, it just shows the all the data.

Btw in the props.conf I use this

TRANSFORMS-set = removepluginset
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 12:13 PM

Are you restarting Splunk after each change to the config files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alwiinie
New Member
‎04-24-2017 11:54 PM

Yes, after every change in transform.conf I restart Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...