https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136556#M97847 <P>Hello, i have logs with some event. I want see only my event. How i can remove another information. My event bigins at:"main: number of bytes received: 489" and finish at: "Send msg to queue *******" Could you help me in skype digilan007</P> <P>6| set_buffer_mode: stderr is line-buffered<BR /> 6| Opened txrout.out, Mar 27 at 09:38:00</P> <P>6| #!# SVFE Ver. 2.2.7 build 20050624 #!#<BR /> 6| =&gt;COMMIT_WORK (db_login.pc)<BR /> 0| </P> <HR /> <P>Task with ID = 11 is waiting for the message to arrive on the queue 34471943.<BR /> 49395| main: number of bytes received: 63<BR /> 49395| 09:41:18 <BR /> 49395| main: Found message format 1.00<BR /> 49395| =&gt;sv_msg2msgx_ent (tag_utils.c)<BR /> 49395| =&gt;svm_dprint (sv_message.c 10.4)<BR /> 49395| svm_dprint: Message v1.00<BR /> umsgnum = 00000000 org_pid = 00000000<BR /> dest_pid = 00000000 timestamp_in = 1301204478<BR /> msg_size = 00000007 msgtype = 00000022<BR /> direction = 00000000 dev_proc_id = 00000000<BR /> org_dev_qid = 34471943 49395| BITS: 49395|<BR /><BR /> ...................................................................................................<BR /> 0| =&gt;get_from_addldata (tag_utils.c)<BR /> 0| get_from_addldata:Input dptr=0x0x600fffffffef6fc8 limit=0x0x600fffffffef6fc8<BR /> 0| Tag 0xBD SVT_ACTION is not present in bpc_addldata<BR /> 0| txn_needs_new_routing: return FALSE<BR /> 0| =&gt;COMMIT_WORK (db_login.pc)</P> Mon, 28 Sep 2020 20:08:07 GMT DuXa 2020-09-28T20:08:07Z https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136556#M97847 <P>Hello, i have logs with some event. I want see only my event. How i can remove another information. My event bigins at:"main: number of bytes received: 489" and finish at: "Send msg to queue *******" Could you help me in skype digilan007</P> <P>6| set_buffer_mode: stderr is line-buffered<BR /> 6| Opened txrout.out, Mar 27 at 09:38:00</P> <P>6| #!# SVFE Ver. 2.2.7 build 20050624 #!#<BR /> 6| =&gt;COMMIT_WORK (db_login.pc)<BR /> 0| </P> <HR /> <P>Task with ID = 11 is waiting for the message to arrive on the queue 34471943.<BR /> 49395| main: number of bytes received: 63<BR /> 49395| 09:41:18 <BR /> 49395| main: Found message format 1.00<BR /> 49395| =&gt;sv_msg2msgx_ent (tag_utils.c)<BR /> 49395| =&gt;svm_dprint (sv_message.c 10.4)<BR /> 49395| svm_dprint: Message v1.00<BR /> umsgnum = 00000000 org_pid = 00000000<BR /> dest_pid = 00000000 timestamp_in = 1301204478<BR /> msg_size = 00000007 msgtype = 00000022<BR /> direction = 00000000 dev_proc_id = 00000000<BR /> org_dev_qid = 34471943 49395| BITS: 49395|<BR /><BR /> ...................................................................................................<BR /> 0| =&gt;get_from_addldata (tag_utils.c)<BR /> 0| get_from_addldata:Input dptr=0x0x600fffffffef6fc8 limit=0x0x600fffffffef6fc8<BR /> 0| Tag 0xBD SVT_ACTION is not present in bpc_addldata<BR /> 0| txn_needs_new_routing: return FALSE<BR /> 0| =&gt;COMMIT_WORK (db_login.pc)</P> Mon, 28 Sep 2020 20:08:07 GMT https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136556#M97847 DuXa 2020-09-28T20:08:07Z https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136557#M97848 <P>Which are all the information,you want to remove.Can u please be more specific on your query?</P> Fri, 05 Jun 2015 05:48:20 GMT https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136557#M97848 jackson1990 2015-06-05T05:48:20Z https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136558#M97849 <P>Hi, your sample data does not correspond with the event delimiters you specify. (There is no line "Send message to queue..."). Also, this is the user forum, not an official support site - maybe someone will call you on skype, but you shouldn't count on it.</P> <P>In general, it would probably be good to study the documentation sections for props.conf, more specifically around the parameters for breaking the incoming data stream into events (BREAK_ONLY_BEFORE... MUST_NOT_BREAK...), and possibly also the docs on anonymizing data, which could be a means for removing the unwanted lines.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles</A></P> <P>/k</P> Mon, 28 Sep 2020 20:08:09 GMT https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136558#M97849 kristian_kolb 2020-09-28T20:08:09Z https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136559#M97850 <P>As Kristian said in the comment, you probably want to redefine the way you want splunk to parse your events.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents</A></P> <P>Then once you isolated the pieces : delete the useless events (see nullQueue), or reformat them using (SEDCMD)<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles</A></P> Sun, 14 Jun 2015 03:35:04 GMT https://community.splunk.com/t5/Getting-Data-In/the-beginning-and-end-of-the-event/m-p/136559#M97850 yannK 2015-06-14T03:35:04Z