小贝子编程

删除json事件Splunk的属性



我在splunk中有事件JSON事件,但我想删除一个键对/属性。

例如:

从JSON下面我想删除"country"; "Algeria",从每一个事件将会到来。有可能吗?我已经在我的props.conf中尝试了类似的操作,但是没有成功。

[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove=/"country": ".*/g


       {
            "random": 23,
            "random float": 28.173,
            "bool": false,
            "date": "1990-08-31",
            "regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world",
            "enum": "generator",
            "firstname": "Latisha",
            "lastname": "Alexandr",
            "city": "Tiraspol",
            "country": "Algeria",
            "countryCode": "MC",
            "email uses current data": "Latisha.Alexandr@gmail.com",
            "email from expression": "Latisha.Alexandr@yopmail.com",
            "array": [
                "Dyann",
                "Christal",
                "Renie",
                "Tilly",
                "Margette"
            ],
            "array of objects": [
                {
                    "index": 0,
                    "index start at 5": 5
                },
                {
                    "index": 1,
                    "index start at 5": 6
                },
                {
                    "index": 2,
                    "index start at 5": 7
                }
            ],
            "Raquela": {
                "age": 50
            }
        }

您的想法是正确的,但是SEDCMD是不正确的。在props.conf

中试试
SEDCMD-noAlgeria = s/"country": "Algeria",//

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium