https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690280#M28280 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266570">@KhalidAlharthi</a>&nbsp;</P><P>You can do this with PREAMBLE_REGEX in props.conf</P><PRE>PREAMBLE_REGEX = &lt;regex&gt; * A regular expression that lets Splunk software ignore "preamble lines", or lines that occur before lines that represent structured data. * When set, Splunk software ignores these preamble lines, based on the pattern you specify. * Default: not set</PRE> Mon, 10 Jun 2024 22:52:40 GMT KendallW 2024-06-10T22:52:40Z https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690278#M28279 <P>is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended</P><P>&nbsp;</P><P>i have configuered outputs.conf,props.conf,transforms.conf</P><P>&nbsp;</P><P>is there a way to remove the priority and hostname associated with timestamp on the third-party system</P><P>&nbsp;</P><P>thanks</P> Mon, 10 Jun 2024 22:26:15 GMT https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690278#M28279 KhalidAlharthi 2024-06-10T22:26:15Z https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690280#M28280 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266570">@KhalidAlharthi</a>&nbsp;</P><P>You can do this with PREAMBLE_REGEX in props.conf</P><PRE>PREAMBLE_REGEX = &lt;regex&gt; * A regular expression that lets Splunk software ignore "preamble lines", or lines that occur before lines that represent structured data. * When set, Splunk software ignores these preamble lines, based on the pattern you specify. * Default: not set</PRE> Mon, 10 Jun 2024 22:52:40 GMT https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690280#M28280 KendallW 2024-06-10T22:52:40Z https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690281#M28281 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/121137">@KendallW</a>&nbsp;Thanks for responding to this matter&nbsp;</P><P>&nbsp;</P><P>could you please give example cuz i don't understand it quite good .</P><P>for example this log&nbsp;</P><P><SPAN>Jul 14 14:15:56 10.128.213.50 Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900</SPAN></P><P>&nbsp;</P><P><SPAN>i want to remove the timestamp and host at the beginning of the event&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>this happened because the non syslog source type i guess and i want this to be removed</SPAN></P> Mon, 10 Jun 2024 23:04:39 GMT https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690281#M28281 KhalidAlharthi 2024-06-10T23:04:39Z https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690284#M28282 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266570">@KhalidAlharthi</a>&nbsp;try this in props.conf (on indexer or HF)<BR />PREAMBLE_REGEX =&nbsp;\w{3}\s(\d{2}[\s\:]){4}(\d{1,3}\.){3}\d{1,3}\s\w{3}\s(\d{2}[\s\:]){4}[^\s]+\s</P> Mon, 10 Jun 2024 23:19:31 GMT https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690284#M28282 KendallW 2024-06-10T23:19:31Z https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690285#M28283 <P>Can you see your private messages if you don't mind</P> Mon, 10 Jun 2024 23:48:36 GMT https://community.splunk.com/t5/Deployment-Architecture/forwarded-data-remove-timestamp-and-host/m-p/690285#M28283 KhalidAlharthi 2024-06-10T23:48:36Z