https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254552#M48885 <P>Try something like this</P> <P>props.conf on Indexer/Heavy forwarder</P> <PRE><CODE>[yoursourceytpe] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\d+\:\d+\:\d+ ...other time format settings--- TRANSFORMS-removeheaderevent = setnull </CODE></PRE> <P>transforms.conf on Indexer/Heavy forwarder</P> <PRE><CODE>[setnull] REGEX = ^\w+ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 18 Mar 2016 15:05:49 GMT somesoni2 2016-03-18T15:05:49Z https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254551#M48884 <P>Hi,</P> <P>We have an ugly custom log file, and we'd like to filter out the beginning of the file. We'd like to start from the first line, down to the first line with a valid timestamp. Is that possible? </P> <P>Here's a sample:</P> <P>Lots of lines like this:</P> <PRE><CODE>Application Name: Email_MMK_Node3_PR Application Type: EMAIL_SERVER Application stuff.... .... Application Options: { { pop-client ['password' [output suppressed], 'move-failed-ews-item' [str] = "true", 'protocol-timeout' [str] = "00:05:00", 'maximum-msg-size' [str] = "5", 'type' [str] = "IMAP", 'address' [str] = "#", 'exchange-version' [str] = "Exchange2010_SP2", 'endpoint' [str] = "default", 'folder-path' [str] = "INBOX", 'leave-msg-on-server' [str] = "false", 'folder-separator' [str] = "/", 'port' [str] = "995", 'delete-bad-formatted-msg' [str] = "false", 'failed-items-folder-name' [str] = "", 'pop-connection-security' [str] = "none", 'enable-debug' [str] = "false", 'connect-timeout' [str] = "00:00:30", 'cycle-time' [str] = "00:00:30", 'mailbox' [str] = "#", 'enable-big-msg-stripping' [str] = "false", 'server' [str] = "imap.blah.blah.com", 'delete-big-msg' [str] = "false", 'enable-client' [str] = "false", 'allow-bad-msg-size' [str] = "false", 'maximum-msg-number' [str] = "500", ]} { pop-client-aaargprations ['password' [output suppressed], 'move-failed-ews-item' [str] = "true", 'protocol-timeout' [str] = "00:05:00", 'maximum-msg-size' [str] = "5", 'type' [str] = "IMAP", 'address' [str] = "anotherfield.com", 'exchange-version' [str] = "Exchange2010_SP2", 'endpoint' [str] = "blahblahIn_Endpoint", 'folder-path' [str] = "INBOX", 'leave-msg-on-server' [str] = "true", 'folder-separator' [str] = "/", 'port' [str] = "993", 'delete-bad-formatted-msg' [str] = "false", 'failed-items-folder-name' [str] = "failedItems", 'pop-connection-security' [str] = "ssl-tls", 'connect-timeout' [str] = "00:00:30", 'enable-debug' [str] = "false", 'cycle-time' [str] = "00:00:30", 'mailbox' [str] = "1234rkrgprations", 'enable-big-msg-stripping' [str] = "false", 'server' [str] = "blah.server.com", 'delete-big-msg' [str] = "false", 'enable-client' [str] = "false", 'allow-bad-msg-size' [str] = "false", 'maximum-msg-number' [str] = "500", ]} } 23:11:14.972 Dbg 29999 [EmailServer] Configuring 'MESSAGE_SERVER' connection </CODE></PRE> <P>Any suggestions?</P> Fri, 18 Mar 2016 14:32:50 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254551#M48884 a212830 2016-03-18T14:32:50Z https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254552#M48885 <P>Try something like this</P> <P>props.conf on Indexer/Heavy forwarder</P> <PRE><CODE>[yoursourceytpe] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\d+\:\d+\:\d+ ...other time format settings--- TRANSFORMS-removeheaderevent = setnull </CODE></PRE> <P>transforms.conf on Indexer/Heavy forwarder</P> <PRE><CODE>[setnull] REGEX = ^\w+ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 18 Mar 2016 15:05:49 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254552#M48885 somesoni2 2016-03-18T15:05:49Z https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254553#M48886 <P>Can you elaborate? What is the regex doing? </P> Fri, 18 Mar 2016 15:47:59 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254553#M48886 a212830 2016-03-18T15:47:59Z https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254554#M48887 <P>The props.conf is splitting your logs in the events, where events will start with timesamp (23:11:14.972 in above example). This will give one extra large events with all the header preamble text. The TRANSFORMS will just find that huge header event, which I assume start with some word and not with timestamp, and will drop that events. (see this for transforms usage <A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A>)</P> Fri, 18 Mar 2016 16:01:31 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254554#M48887 somesoni2 2016-03-18T16:01:31Z https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254555#M48888 <P>Thanks. Interesting approach. Never considered it. </P> Fri, 18 Mar 2016 18:05:14 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254555#M48888 a212830 2016-03-18T18:05:14Z https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254556#M48889 <P>For anyone who stumbles on this in the future with similar questions, remember that you can tinker with the sourcetype definition with the Add Data wizard. The Advanced panel of the Set Source Type menu is where you can tinker and see how splunk would interpret the results.</P> Mon, 21 Mar 2016 14:53:49 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-extracting-and-filtering-header-preambles/m-p/254556#M48889 sloshburch 2016-03-21T14:53:49Z