Splunk Search

SEDCMD: to filter the character between the user

neelamsantosh
Path Finder

Curently our proxy logs with user having special characters inbetween.
ref: DC=local/bob\, tom

I have created a props.conf with
SEDCMD-alter_user= s/\\,//g
with which i am able to get the desired value but its too generic.
ref: DC=local/bob tom
Kindly assist me with the SEDCMD
SEDCMD-alter_user= s/"local/"\\,//g

Tags (1)
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

This should be closer to what you need:

SEDCMD-alter_user= s/local\/(\w+)\\,/\1/g

You may need to tweak it for the characters that can be in your username (e.g. [-a-zA-Z0-9_]+ instead of \w+). You must escape the slash, not use double quotes the way you did, and pass the username through (\1)

I have edited this answer.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!