I have between 2 and 25 fields that I need to apply the SED cmd to. The fields are coming in in KV pairs with the Value wrapped in single quotes which make it hard for analysis on those events. Since I am a Cloud customer, is the only way for this to be pushed out to have Support do it on the indexers? I realize the SED command is an index time extraction but i was wondering if there is anything else i could be doing to try and remedy this.
From Search Bar:
| rex field=_raw mode=sed "s/'//g"
In Props:
SEDCMD-RemoveSingleQuotes = "s/'//g"
↧
