https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139992#M38570 <P>Thanks for the quick response, I will give it a shot and I am working with sample logs until I get it sorted.</P> Tue, 10 Feb 2015 00:42:10 GMT Bliide 2015-02-10T00:42:10Z https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139990#M38568 <P>I am trying to remove the header from a log file. I know that I need to put a stanza in props.conf on the forwarder and then create a transforms.conf like the following:</P> <PRE><CODE>[skip_header_logfile] REGEX = &lt;&lt; 20-30 characters of your header line &gt;&gt; DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>My problem is that my REGEX skills are horrible. My log file looks like this:</P> <PRE><CODE>&lt;Header&gt; &lt;Product&gt;Microsoft SQL Server Reporting Services Version 2011.0110.2100.060 ((SQL11_RTM).120210-1917 )&lt;/Product&gt; &lt;Locale&gt;English (United States)&lt;/Locale&gt; &lt;TimeZone&gt;Central Standard Time&lt;/TimeZone&gt; &lt;Path&gt;C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\Logfiles\ReportServerService__01_06_2015_00_01_11.log&lt;/Path&gt; &lt;SystemName&gt;SERVER&lt;/SystemName&gt; &lt;OSName&gt;Microsoft Windows NT 6.1.7601 Service Pack 1&lt;/OSName&gt; &lt;OSVersion&gt;6.1.7601&lt;/OSVersion&gt; &lt;ProcessID&gt;10653&lt;/ProcessID&gt; &lt;Virtualization&gt;None&lt;/Virtualization&gt; &lt;/Header&gt; library!WindowsService_112!195c!01/06/2015-00:01:11:: i INFO: Call to CleanBatch() </CODE></PRE> <P>All that I need is REGEX that will select everything from <CODE>to</CODE> and of course include the header text, but I can not get it to work. Any help would be greatly appreciated.</P> Tue, 10 Feb 2015 00:03:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139990#M38568 Bliide 2015-02-10T00:03:32Z https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139991#M38569 <P>AFAIK, having regex expression go to nullQueue will <STRONG>discard entire event</STRONG>, not just the matched pattern. You should be looking for a SEDCMD. </P> <P>Try this:</P> <PRE><CODE>props.conf [your_sourcetype] SEDCMD-null = s/(?s)&lt;Header&gt;.*(?=&lt;\/Header&gt;)&lt;\/Header&gt;// </CODE></PRE> <P>Having said so, proceed with caution as this works directly at index time and there is no way to get back lost data. I suggest you try the command on sample data before putting it into production.</P> Tue, 10 Feb 2015 00:35:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139991#M38569 sk314 2015-02-10T00:35:50Z https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139992#M38570 <P>Thanks for the quick response, I will give it a shot and I am working with sample logs until I get it sorted.</P> Tue, 10 Feb 2015 00:42:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139992#M38570 Bliide 2015-02-10T00:42:10Z https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139993#M38571 <P>Converted this to an answer. Bliide, if you are still around could you check if this works and accept this answer, or otherwise comment back on what's still needed?</P> Sun, 01 Nov 2015 20:17:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-the-regex-for-the-removal-of-a-header-from-a-log/m-p/139993#M38571 Richfez 2015-11-01T20:17:45Z