Keeping punct field
Options
Jordan Perks
Posts: 11 ✭
How do I keep the punct field when sending from a Splunk UF through stream
0
Answers
-
We wrote a custom function called ‘rebuild_punct to do this. Stick it at the end of your pipeline to create punct based on _raw.
How to create a custom function: https://cribl.io/blog/extending-cribl-building-custom-functions/
Info on the contents of punct: https://community.splunk.com/t5/Splunk-Search/Describe-the-pattern-matching-syntax-used-for-punct/m-p/101622#M1828850 -
You could use something like this:
punct = _raw.substr(0, 150).replace(/[0-9A-Za-z_*\s/]/g, '')
0
