Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field manipulation using SED

lakromani
Builder
‎03-04-2016 02:43 PM

I am testing using Splunk to index a minecraft server, but have some problem with user name.
Lines look like this:

Fri Mar 04 22:24:58 CET 2016 action=block_broken player=§4BirksX§r world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=Pardur1 world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS

Since field names do confirm to some=data they are automatically extracted.
For some reason some user has §4 in front of name and §r after it.

I have temporary solved this by using SED like this:

source=minecraft | rex mode=sed field=player "s/(§4|§r)//g" | top player

This works fine.
But I would like to remove the data from the indexed data, so I tried this:

props.conf
[minecraft]
SED-remove_data = "s/(§4|§r)//g"

and 

props.conf
[minecraft]
SED-remove_data = s/(§4|§r)//g

But none of them works.
What do I do wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakromani
Builder
‎03-05-2016 12:08 AM

Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:

[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakromani
Builder
‎03-05-2016 12:08 AM

Problem was the ASCII code 245 = § ( Section sign ) and I need to use SEDCMD and not SED
After some sleep and some more googling, I found how to remove it, like this:

[minecraft]
SEDCMD-remove_data = s/\xa7\(r\|4\)//g
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-04-2016 03:10 PM

The correct attribute name is SEDCMD in props.conf.

Also, hope you're adding this props.conf on heavy forwarder/indexer

Reply
Solved! Jump to solution

lakromani
Builder
‎03-04-2016 04:00 PM

Will test it out.
I do only have one Splunk server, no forwarder.

Edit.
Dit not work on my server.

[minecraft]
SEDCMD-remove_data = "s/(§4|§r)//g"

Edit2.
It seem to be that the § symbol messes things up.
After removing the " in SEDCMD command, it has no more player, but changed it to playe and have removed the 4 from the time, so it get like this:

playe=§BirksX§r

I can see in nano that the § shows like a strange character, but ok using cat.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...