I am testing using Splunk to index a minecraft server, but have some problem with user name.
Lines look like this:
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=§4BirksX§r world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Fri Mar 04 22:24:58 CET 2016 action=block_broken player=Pardur1 world=world x=30.0 y=105.0 z=-281.0 game_time=8303 block_type=LONG_GRAS
Since field names do confirm to some=data they are automatically extracted.
For some reason some user has §4 in front of name and §r after it.
I have temporary solved this by using SED like this:
source=minecraft | rex mode=sed field=player "s/(§4|§r)//g" | top player
This works fine.
But I would like to remove the data from the indexed data, so I tried this:
props.conf
[minecraft]
SED-remove_data = "s/(§4|§r)//g"
and
props.conf
[minecraft]
SED-remove_data = s/(§4|§r)//g
But none of them works.
What do I do wrong?
↧