Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search app: Remove extracted values from event column

stefan_gohlke
New Member
‎04-30-2018 02:03 AM

Is it possiple to remove information from the column "Event" in the search app view? Some values have allready been extracted, so I would like to remove them from the event column.

Current text in column "Event":
time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message

New:
LOG: A long long log message

Is that possible? How to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎04-30-2018 02:17 AM

The event column shows the raw event.

Technically, you could do an | eval _raw=... command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

TISKAR
Builder
‎04-30-2018 05:09 AM

Hello,

can you past this example in your barre search:

| makeresults | eval _raw="time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message" | rex "message=(?<_raw>.*)"
0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎04-30-2018 02:17 AM

The event column shows the raw event.

Technically, you could do an | eval _raw=... command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"

0 Karma
Reply
Solved! Jump to solution

stefan_gohlke
New Member
‎05-07-2018 06:48 AM

This is working for one line, as we have the same prefix with a different log message on the second line (was my fault, I didn't mention that) I used

| rex max_match=0 "message=(?<_raw>.*)"

Now it's working fine. Thank you very much.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 02:14 AM

You should not remove these during indexing, because it will most likely break all your field extractions unless all these information has been extracted as index time fields, which it most likely isn't.

You could use a regex like this:
.*\smessage=(?<_raw>.*)$
This would replace the _raw field, which is what you're getting displayed as the actual event text.
So, you can simply set up a props.conf like this:

[your-sourcetype]
EXTRACT-shorten_raw_text = .*\smessage=(?<_raw>.*)$

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...