Solved: Cleaning raw data at index time or search time?

aapittts · ‎02-21-2013

I have raw data that looks like this: (4)example(3)domain(3)com(0). In my search, I've been using a macro that looks like this:

eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.", "")

This produces the desired result. However, when I try and pipe the output of the macro to a lookup table it doesn't work. I've narrowed the issue down to the regex bc if I put the example domain above in my lookup table I get the proper results. That is not the solution bc I have hundreds of domains in the lookup table and can not change them all. So my question is is there a way to pass the output of the regex properly or is this something that needs to be taken care of in the props or transforms?

aapittts · ‎02-22-2013

After fighting with the regex more, I realized I wasn't replacing the final '.' from the domain name thus not getting any matches against my look up table.

eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.|$\.", "")

View solution in original post

aapittts · ‎02-22-2013

After fighting with the regex more, I realized I wasn't replacing the final '.' from the domain name thus not getting any matches against my look up table.

eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.|$\.", "")

Cleaning raw data at index time or search time?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!