Re: regex: replace my events with _raw=Body

Mohsin123 · ‎03-14-2018

Hi,

I want to replace my events with _raw=Body
can anyone help ? pl let me know the regex .

Regards
Shraddha

woodcock · ‎07-15-2018

Nobody is going to be able to answer your question or even give you much help unless you provide a great deal more detail, including samples of your existing data and a mockup of your desired final state.

akocak · ‎07-13-2018

Assuming this is your regex for the field:

 ...|rex "\nBody:\s(?<_raw>[^\}]+)"

then I would do

....| regex field=_raw "\nBody:\s(?<new_raw>[^\}]+)"
| eval _raw=new_raw

please note that pre-extracted fields such as host, _time, sourcetype will still be there. you can always see time of the event even if it doesn't exist in new_raw.

If you want to index from HF on this way, this will require you props.conf and transforms.conf. But that's not the question after all 🙂

493669 · ‎03-14-2018

can you provide sample events and what is expected output?

493669 · ‎03-14-2018

it seems previous comments are deleted :
have you tried:

...|rex "\nBody:\s(?<_raw>[^\}]+)"

Mohsin123 · ‎03-14-2018

I asked you how we can rewrite event at HF level, so that data come only having Body data.

You are giving me query I gave you 😄

p_gurav · ‎03-15-2018

You can use route and filter on HF. Refer below data:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad

If you want to Anonymize you can use SED-CMD
https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata

regex: replace my events with _raw=Body

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!