Refine your search:

Post search filtering

1

Is there a way to apply a SED like filter after a search. The plumbing is there to filter and sanitize data going into the indexer. You could achieve this with a custom search command but is there another way? Would be handy if there was a props config.

asked 02 Jun '10, 14:33

Marinus's gravatar image

Marinus
7991223
accept rate: 53%

2 Answers:
oldestnewestmost voted
1

You have two options. Either use the | rex mode=sed "s/find/replace/g" at runtime, or use a SEDCMD at index time, like so:

In props.conf:

[my_source_type]
SEDCMD = s/find/replace/g

Now, if if you are asking if you case setup something like a SEDCMD that gets run at search time, then the answer is no.

Here is a possible workaround: If your sed command is really long and ugly and you simply don't want to see it or don't want to repeat it in multiple searches, then I would suggest that you create a macro with your rex. I think that's the best you can do.

link

answered 02 Jun '10, 14:35

Lowell's gravatar image

Lowell ♦
11.1k81289
accept rate: 41%

0

There are some tricks, but I would just stick with expressing them in the search query language (with either rex or eval for your case), using macros if that makes things clearer or easier to manage.

Note that the existing "automatic" extractions and lookups at search time are not merely syntactic replacements for rex and lookup commands. They also allow you to perform efficient searches on the new fields by reverse-mapping the requested fields to original indexed values. This would not be possible with a general sed command.

But you can make things automatic. Note that doing this will also probably make it incredibly confusing to search for items, even if you're looking right at them:

props.conf:

[mysourcetype]
REPORT-raw = changeraw
FIELDALIAS-raw = _mychangedraw AS _raw

transforms.conf:

[changeraw]
SOURCE_KEY = _raw
REGEX = ^(?<_mychangedraw>.{1,64})
CLEAN_KEYS = false

This only works however if the change you're trying to make to a field is simply slicing out one part of it. If you need to do something more complicated, you do need a custom script, but you can use a lookup to get it to run automatically. A lookup, like an extraction, won't overwrite an initially returned field, so you'd do similar to the above:

[mysourcetype]
LOOKUP-raw = mycustomlookupscript _raw OUTPUT _mychangedraw
FIELDALIAS-raw = _mychangedraw AS _raw

[mycustomlookupscript]
external_cmd = mylookupscript.py
fields_list = _raw,_mychangedraw

Well, you have to have an external script instead of using Splunk to set regexes here.

link

answered 02 Jun '10, 16:43

gkanapathy's gravatar image

gkanapathy ♦
32.3k4827
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,640

Asked: 02 Jun '10, 14:33

Seen: 1,383 times

Last updated: 02 Jun '10, 16:43

Related questions

filtering search results

Having trouble with log filtering

Search Line Filtering

Filtering results based on subsequent events?

search hangs post 4.3 upgrade

Search results send as HTTP POST automatically

Finding HTTP Post parameters in splunk

Successor Search Using Previous Saved Search Result

Copyright © 2005-2012 Splunk Inc. All rights reserved.