Solved: how to remove this annoying character?

giovere · ‎10-25-2011

In my log file there at the end of a file there is substitution character \x1A, here is the file with that character. I've tried following:

props.conf
SEDCMD-stripsub = s/\\x1A//g
SEDCMD-stripnull = s/\\x00//g

For null characters \x00 it works perfectly fine, but not the substitution character. Any suggestions how to get rid of it?

gkanapathy · ‎10-25-2011

You shouldn't be escaping the \. If you want to remove a character with hex code x1a, you should use s/\x1a//g. When you see \x1A in the actual raw event, that's simply because Splunk substituted the non-printable character with a printable character sequence. I have no idea why the second one worked, unless your raw data contains the printable string rather than the null character itself.

View solution in original post

gkanapathy · ‎10-25-2011

You shouldn't be escaping the \. If you want to remove a character with hex code x1a, you should use s/\x1a//g. When you see \x1A in the actual raw event, that's simply because Splunk substituted the non-printable character with a printable character sequence. I have no idea why the second one worked, unless your raw data contains the printable string rather than the null character itself.

giovere · ‎10-26-2011

Feel stupid 🙂 thanks it works

Ayn · ‎10-25-2011

I'm confused - just to clarify, does the second SEDCMD (stripnull) work but the first one doesn't?

how to remove this annoying character?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!