Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search app: Remove extracted values from event column

stefan_gohlke
New Member
‎04-30-2018 02:03 AM

Is it possiple to remove information from the column "Event" in the search app view? Some values have allready been extracted, so I would like to remove them from the event column.

Current text in column "Event":
time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message

New:
LOG: A long long log message

Is that possible? How to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎04-30-2018 02:17 AM

The event column shows the raw event.

Technically, you could do an | eval _raw=... command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

TISKAR
Builder
‎04-30-2018 05:09 AM

Hello,

can you past this example in your barre search:

| makeresults | eval _raw="time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message" | rex "message=(?<_raw>.*)"
0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎04-30-2018 02:17 AM

The event column shows the raw event.

Technically, you could do an | eval _raw=... command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"

0 Karma
Reply
Solved! Jump to solution

stefan_gohlke
New Member
‎05-07-2018 06:48 AM

This is working for one line, as we have the same prefix with a different log message on the second line (was my fault, I didn't mention that) I used

| rex max_match=0 "message=(?<_raw>.*)"

Now it's working fine. Thank you very much.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 02:14 AM

You should not remove these during indexing, because it will most likely break all your field extractions unless all these information has been extracted as index time fields, which it most likely isn't.

You could use a regex like this:
.*\smessage=(?<_raw>.*)$
This would replace the _raw field, which is what you're getting displayed as the actual event text.
So, you can simply set up a props.conf like this:

[your-sourcetype]
EXTRACT-shorten_raw_text = .*\smessage=(?<_raw>.*)$

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...