How do I keep the punct field when sending from a Splunk UF through stream
Page 1 / 1
We wrote a custom function called ‘rebuild_punct to do this. Stick it at the end of your pipeline to create punct based on _raw.
How to create a custom function: https://cribl.io/blog/extending-cribl-building-custom-functions/
Info on the contents of punct: https://community.splunk.com/t5/Splunk-Search/Describe-the-pattern-matching-syntax-used-for-punct/m-p/101622#M182885
You could use something like this:
punct = _raw.substr(0, 150).replace(/[0-9A-Za-z_*\s/]/g, '')
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.