I want to remove a string from _raw that appears as a field in Splunk say host. For example if I have the _raw message:
<ConMan> Console [hype33] log at 2013-08-15 00:00:00 PDT.
2013-08-15 14:25:48 Setting hostname hype362: [ OK ]
The following search gets rid of date, time and any digits in _raw
|rex mode=sed "s/\d{1,}//g" |rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun)//g" | rename _raw AS msgdigest
So the msgdigest then becomes:
<ConMan> Console [hype] log at -- :: PDT.
-- :: Setting hostname hype: [ OK ]
As my _raw message and say hype is a type of host I want to have
<ConMan> Console [] log at -- :: PDT.
-- :: Setting hostname: [ OK ]
The final goal here is to create a digest of _raw that has more detail than punct as I find that sometimes errors that are not actually similar have the same punct. So I am making hybrid of _raw and punct so to speak. I may try to make this available as an app in the long run.