I have a task to sanitize output of the search for certain users. The data were indexed without sanitation and I cant reindex the data.
example:
index=os | rex field=_raw mode=sed 's/acl/@/'
but i am getting Error in 'litsearch' command: Unable to parse the search: unbalanced parentheses, however the sed command works fine when used in search.
from job inspector:
( index=os ) ( ( | rex field=_raw mode=sed 's/acl/@/' ) ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
... View more