Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Rewriting field values in search time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rewriting field values in search time
Hello,
I've got some events like this extracting fields using kv_mode=auto:
key1="value1", key2="value2", null1="NULL", key3="value3", null2="NULL", key4="value4"
This config generates these fields:
1. key1="value1
2. key2="value2"
3. null1="NULL"
4. key3="value3"
5. null2="value2"
6. key4="value4"
At search time, and without modifying my SPL queries (so I guess it should be done with some config at props.conf and transforms.conf), I need to rewrite null fields (null1 and null2 in the example) to contain the value "" (empty string), null value (null(), which I think it's the same for Splunk) or even removing these kv-null-pairs. I have done this before, but at index-time, using a sedcmd, but it's not so clear for me to get this working at search time, which is what I need.
Ideally, fields should look like this:
1. key1="value1
2. key2="value2"
3. null1=""
4. key3="value3"
5. null2=""
6. key4="value4"
or
1. key1="value1
2. key2="value2"
3. key3="value3"
4. key4="value4"
Thanks for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use separate eval statement in props.conf. Similar to woodcocks foreach example - although you would have to do it separately for each field like this ...
[your_sourcetype]
EVAL-null1 = if(null1="NULL","",null1)
EVAL-null2 = if(null2="NULL","",null2)
This would be applied at search time unlike the SED command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I've tried that, but it generates a performance problem. Each single event have up to 50 fields and any off them can (or cannot) be NULL, and this index has 50.000.000 events, so it's a problem evaluating each field of each event when making a search.
I think I could rephrase the question like this:
Is it possible to modify _raw before extracting fields at search time??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need SEDCMD:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Anonymizedata
Like this:
SEDCMD-NULL2null = 's/="NULL"/=""/'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But this is at index time... I need at search time and not in the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
foreach * [eval <<FIELD>>=if(like($<<FIELD>>$, "NULL"), null(), $<<FIELD>>$)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks woodcook!! But, is this SPL? I cannot modify my queries. I need to do it with any config if it even exists
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
