Hello Splunkers
I am currently using the following regex+sed to make one of my extracted fields usable. Trying to avoid having to do this by adding **SEDCMD** entry to my props.conf for the specific sourcetype so it gets extracted correctly the first time around. For some reason the field I am hoping to update does not change when I add the rex command used below within the config. The rex+sed commands when used in a search give me the results I want, and I end up creating a new field to be able to work with the data. Wondering if someone can help me out as I am not sure what I am doing wrong? Do I need to update more than one config file when trying to fix or override the regex used to populate the field? Do I need to specify the field name somewhere to ensure it's updating the field I'd like to update in the props.conf for the specific sourcetype I am trying to manipulate?
searchHere| rex "(?(\(\d+\))([A-Za-z0-9_\-]+\(\d+\))+\w+(\(\d+\)))" | rex mode=sed field=longitude_site "s/\(\d+\)/./g s/\.$//g"
↧