Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can i remove blank lines in my event ??

rakesh_498115
Motivator
‎11-14-2013 11:00 PM

Hi

I have an so many blanklines , and whitespaces in a single event , Now i want to strip of these blank lines , and mutliple whitespaces ignoring a single whitespace. How can i do this using SEDCMD prop in props.conf

I have tried the following configuration,in props.conf

SEDCMD-parse1 = s/(?m)\n//g s/ *//g

s/(?m)\n//g - to remove blanklines
s/ *//g - to remove mutliple whitespaces

but this doesnt work ? any better idea of doing this pls ?

My sample event :

`
26-JUL-13:10-23-34

<sample

Text

</ Envelope >
`

Now i am expecting the following output,



26-JUL-13:10-23-34 Text

Sry i am unable to post sample event also, it has the above data splitted by lines and whitespaces . any idea on this SEDCMD pls?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-15-2013 05:15 AM

Give this a try:

SEDCMD-spaces = s/[\n\r]+|\s\s+//g
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-20-2013 12:41 AM

This works for me in props.conf:

[foo]
SEDCMD-spaces = s/[\n\r]+|\s\s+//g
TIME_FORMAT = %d-%b-%y:%H-%M-%S

for turning this:

26-JUL-13:10-23-34 <Envelop          e>    

<sample

>
Text


</sample>

</    Envelope    >

into this:

26-JUL-13:10-23-34 <Envelope><sample>Text</sample></Envelope>

Note: Depending on your XML, removing all multi-space blocks entirely may damage the XML. For example, if you have this:

<foo  bar="baz" />

and remove the double space to get this:

<foobar="baz" />

you may be in trouble.

Reply

rakesh_498115
Motivator
‎11-18-2013 11:09 PM

Hi martin, Here is my props setting,

[mydata]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
SEDCMD-parse1 = s/*//g
SEDCMD-parse2 = s/[\n\r]+|\s\s+//g

I have used above parse s/*//g to remove the special * which is avaiable in my log data along with blank lines and whitespaces ..

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-18-2013 07:30 AM

What's your props.conf content?

0 Karma
Reply

rakesh_498115
Motivator
‎11-18-2013 05:19 AM

Hi Martin..thanks for the update .. but this is working in query.but not working in props.conf..

myquery:

index="default" sourcetype="mydata" source="/splunkInput/Parsing/parse4.1_2013-07-2616.32.15.log" | rex mode=sed "s/*//g" | rex mode=sed "s/[\n\r]+|\s\s+//g"

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...