- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search app: Remove extracted values from event col...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Is it possiple to remove information from the column "Event" in the search app view? Some values have allready been extracted, so I would like to remove them from the event column.
Current text in column "Event":
time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message
New:
LOG: A long long log message
Is that possible? How to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
The event column shows the raw event.
Technically, you could do an | eval _raw=... command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello,
can you past this example in your barre search:
| makeresults | eval _raw="time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message" | rex "message=(?<_raw>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
The event column shows the raw event.
Technically, you could do an | eval _raw=... command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
This is working for one line, as we have the same prefix with a different log message on the second line (was my fault, I didn't mention that) I used
| rex max_match=0 "message=(?<_raw>.*)"
Now it's working fine. Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You should not remove these during indexing, because it will most likely break all your field extractions unless all these information has been extracted as index time fields, which it most likely isn't.
You could use a regex like this:
.*\smessage=(?<_raw>.*)$
This would replace the _raw field, which is what you're getting displayed as the actual event text.
So, you can simply set up a props.conf like this:
[your-sourcetype]
EXTRACT-shorten_raw_text = .*\smessage=(?<_raw>.*)$
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.
Learn More or Register Now >
