Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex: replace my events with _raw=Body
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex: replace my events with _raw=Body
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nobody is going to be able to answer your question or even give you much help unless you provide a great deal more detail, including samples of your existing data and a mockup of your desired final state.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming this is your regex for the field:
...|rex "\nBody:\s(?<_raw>[^\}]+)"
then I would do
....| regex field=_raw "\nBody:\s(?<new_raw>[^\}]+)"
| eval _raw=new_raw
please note that pre-extracted fields such as host, _time, sourcetype will still be there. you can always see time of the event even if it doesn't exist in new_raw.
If you want to index from HF on this way, this will require you props.conf and transforms.conf. But that's not the question after all 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide sample events and what is expected output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it seems previous comments are deleted :
have you tried:
...|rex "\nBody:\s(?<_raw>[^\}]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked you how we can rewrite event at HF level, so that data come only having Body data.
You are giving me query I gave you 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use route and filter on HF. Refer below data:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad
If you want to Anonymize you can use SED-CMD
https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
