从 json 事件 Splunk 中删除 属性
Remove property from json event Splunk
我在 splunk 中有 JSON 个事件,但我想删除其中一个 pair/property 键。
例如:
从下面 JSON 我想从即将到来的每个事件中删除“国家”:“阿尔及利亚”。有可能的?我在 props.conf 中尝试过类似的方法,但没有成功。
[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove=/"country": ".*/g
{
"random": 23,
"random float": 28.173,
"bool": false,
"date": "1990-08-31",
"regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world",
"enum": "generator",
"firstname": "Latisha",
"lastname": "Alexandr",
"city": "Tiraspol",
"country": "Algeria",
"countryCode": "MC",
"email uses current data": "Latisha.Alexandr@gmail.com",
"email from expression": "Latisha.Alexandr@yopmail.com",
"array": [
"Dyann",
"Christal",
"Renie",
"Tilly",
"Margette"
],
"array of objects": [
{
"index": 0,
"index start at 5": 5
},
{
"index": 1,
"index start at 5": 6
},
{
"index": 2,
"index start at 5": 7
}
],
"Raquela": {
"age": 50
}
}
你的想法是对的,但是SEDCMD
是错误的。在您的 props.conf
中试试这个
SEDCMD-noAlgeria = s/"country": "Algeria",//
我在 splunk 中有 JSON 个事件,但我想删除其中一个 pair/property 键。
例如:
从下面 JSON 我想从即将到来的每个事件中删除“国家”:“阿尔及利亚”。有可能的?我在 props.conf 中尝试过类似的方法,但没有成功。
[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove=/"country": ".*/g
{
"random": 23,
"random float": 28.173,
"bool": false,
"date": "1990-08-31",
"regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world",
"enum": "generator",
"firstname": "Latisha",
"lastname": "Alexandr",
"city": "Tiraspol",
"country": "Algeria",
"countryCode": "MC",
"email uses current data": "Latisha.Alexandr@gmail.com",
"email from expression": "Latisha.Alexandr@yopmail.com",
"array": [
"Dyann",
"Christal",
"Renie",
"Tilly",
"Margette"
],
"array of objects": [
{
"index": 0,
"index start at 5": 5
},
{
"index": 1,
"index start at 5": 6
},
{
"index": 2,
"index start at 5": 7
}
],
"Raquela": {
"age": 50
}
}
你的想法是对的,但是SEDCMD
是错误的。在您的 props.conf
SEDCMD-noAlgeria = s/"country": "Algeria",//