从 json 事件 Splunk 中删除 属性

Remove property from json event Splunk

我在 splunk 中有 JSON 个事件,但我想删除其中一个 pair/property 键。

例如:

从下面 JSON 我想从即将到来的每个事件中删除“国家”:“阿尔及利亚”。有可能的?我在 props.conf 中尝试过类似的方法,但没有成功。

[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove=/"country": ".*/g

       {
            "random": 23,
            "random float": 28.173,
            "bool": false,
            "date": "1990-08-31",
            "regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world",
            "enum": "generator",
            "firstname": "Latisha",
            "lastname": "Alexandr",
            "city": "Tiraspol",
            "country": "Algeria",
            "countryCode": "MC",
            "email uses current data": "Latisha.Alexandr@gmail.com",
            "email from expression": "Latisha.Alexandr@yopmail.com",
            "array": [
                "Dyann",
                "Christal",
                "Renie",
                "Tilly",
                "Margette"
            ],
            "array of objects": [
                {
                    "index": 0,
                    "index start at 5": 5
                },
                {
                    "index": 1,
                    "index start at 5": 6
                },
                {
                    "index": 2,
                    "index start at 5": 7
                }
            ],
            "Raquela": {
                "age": 50
            }
        }

你的想法是对的,但是SEDCMD是错误的。在您的 props.conf

中试试这个
SEDCMD-noAlgeria = s/"country": "Algeria",//