Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.
Since the data set isn’t large, planing on regular expression to redefine field title. Insert
| rex field=_raw "|\s+title:\s+(?
... View more
Splunk breaks saved search report if the field value contains a colon. My source record is below.
[2015-07-29 12:43:53,782 user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standard&pagename=OpenMarket/Xcelerate/Actions/UnlockFront&cs_formmode=WCM | title: Investor Alert: Fraudulent Stock Promotions | Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html
Take a look at the title: field value. It has colon after Investor-Alert: How to fix this? Do I need to escape it and how?
... View more