https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377228#M68268 <P>I have a Json log which looks like this</P> <PRE><CODE>Jul 11 14:37:48 darktrace-dt-722-01 darktrace {"creationTime":1562855937000,"breachUrl":...} </CODE></PRE> <P>I have to remove the timestamp hostanem, all syslog prefixes until {</P> <P>This is how my props.conf looks like</P> <PRE><CODE>[darktrace] SEDCMD-StripHeader = ^([^\{]+) KV_MODE = json pulldown_type = true category = Structured description = darktrace </CODE></PRE> <P>But it doesn't work. I tried INDEXED_EXTRACTIONS = json as well without success.</P> <P>Any help is appreciated. Thanks</P> Thu, 11 Jul 2019 15:23:44 GMT vbotnari1 2019-07-11T15:23:44Z https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377228#M68268 <P>I have a Json log which looks like this</P> <PRE><CODE>Jul 11 14:37:48 darktrace-dt-722-01 darktrace {"creationTime":1562855937000,"breachUrl":...} </CODE></PRE> <P>I have to remove the timestamp hostanem, all syslog prefixes until {</P> <P>This is how my props.conf looks like</P> <PRE><CODE>[darktrace] SEDCMD-StripHeader = ^([^\{]+) KV_MODE = json pulldown_type = true category = Structured description = darktrace </CODE></PRE> <P>But it doesn't work. I tried INDEXED_EXTRACTIONS = json as well without success.</P> <P>Any help is appreciated. Thanks</P> Thu, 11 Jul 2019 15:23:44 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377228#M68268 vbotnari1 2019-07-11T15:23:44Z https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377229#M68269 <P>It must be an actual <CODE>sed command</CODE> like this:</P> <PRE><CODE> SEDCMD-StripHeader = s/^[^\{]+// </CODE></PRE> Thu, 11 Jul 2019 18:55:18 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377229#M68269 woodcock 2019-07-11T18:55:18Z https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377230#M68270 <P>Thank you @woodcock . I tried your suggested sed command but it did nothing.</P> Fri, 12 Jul 2019 07:29:03 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377230#M68270 vbotnari1 2019-07-12T07:29:03Z https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377231#M68271 <P>If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using <CODE>_index_earliest=-5m</CODE> to be absolutely certain that you are only examining the newly indexed events.</P> Fri, 12 Jul 2019 13:58:48 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-syslog-prefix-from-Json/m-p/377231#M68271 woodcock 2019-07-12T13:58:48Z