topic Re: How can I keep only first 6k bytes of single line event by transforms.conf in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214884#M63020 <P>It is easier to use <CODE>SEDCMD</CODE> like this:</P> <H3>props.conf</H3> <PRE><CODE>[syslog-cef] SEDCMD-keepFirst6k = s/^(.{0,6144}).*/\1/ </CODE></PRE> Fri, 04 Sep 2015 22:03:21 GMT woodcock 2015-09-04T22:03:21Z How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214883#M63019 <P>How can I keep only first 6k bytes of single line event.</P> <P>I have syslog type of data. They are single line and sometimes more than 64k Byte long. <BR /> But, I need only first 6k bytes of an event. <BR /> So, I created the following transforms.conf. But, it does not work.<BR /> I know SEDCMD works to do the same job. <BR /> But, why does transforms.conf not work? </P> <UL> <LI><P>props.conf</P> <P>[syslog-cef]<BR /> SHOULD_LINEMERGE = false<BR /> TRANSFORMS-keep6k = keep6k</P></LI> <LI><P>transforms.conf</P> <P>[keep6k]<BR /> REGEX = ^(.{6144})<BR /> DEST_KEY = _raw<BR /> FORMAT = $1<BR /> Data is not truncated to 6k. </P></LI> </UL> Fri, 04 Sep 2015 21:45:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214883#M63019 Masa 2015-09-04T21:45:15Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214884#M63020 <P>It is easier to use <CODE>SEDCMD</CODE> like this:</P> <H3>props.conf</H3> <PRE><CODE>[syslog-cef] SEDCMD-keepFirst6k = s/^(.{0,6144}).*/\1/ </CODE></PRE> Fri, 04 Sep 2015 22:03:21 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214884#M63020 woodcock 2015-09-04T22:03:21Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214885#M63021 <P>Thanks for quick response. <BR /> If I used SEDCMD with the following regex. This works. </P> <PRE><CODE>SEDCMD-keepFirst6k = s/^(.{6144})/\1/ </CODE></PRE> <P>I'm looking for transforms.conf so that I can use the same regex for multiple sourcetypes by calling this transform name.</P> Fri, 04 Sep 2015 22:23:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214885#M63021 Masa 2015-09-04T22:23:33Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214886#M63022 <P>Your initial solution looks fine to me; did you restart all Splunk instances on your Indexers and Heavy Forwarders?</P> Fri, 04 Sep 2015 22:33:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214886#M63022 woodcock 2015-09-04T22:33:07Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214887#M63023 <P>IMHO, you are gaining nothing except in the case that you decide to change from 6144 character to some other number (in that case you would have to edit every <CODE>props.conf</CODE> copy). If you are not planning on doing this, then the <CODE>SEDCMD</CODE> solution is shorter, better, and has every other benefit.</P> Fri, 04 Sep 2015 22:34:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214887#M63023 woodcock 2015-09-04T22:34:57Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214888#M63024 <P>Hi, woodcok. Thanks you for your advice. Yes, I did restarted. In my test, I used a UF and indexer. But, it is same result even if I have a standalone instance to monitor the same file. </P> Sun, 06 Sep 2015 23:24:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214888#M63024 Masa 2015-09-06T23:24:34Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214889#M63025 <P>Hi Masa,</P> <P>take a look at this answer <A href="http://answers.splunk.com/answers/306418/how-can-i-remove-partial-string-of-single-line-eve-1.html#answer-306465">http://answers.splunk.com/answers/306418/how-can-i-remove-partial-string-of-single-line-eve-1.html#answer-306465</A> <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>cheers, MuS</P> Mon, 07 Sep 2015 08:29:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214889#M63025 MuS 2015-09-07T08:29:12Z Re: How can I keep only first 6k bytes of single line event by transforms.conf https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214890#M63026 <P>Thanks, MuS. </P> Mon, 07 Sep 2015 17:17:40 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-keep-only-first-6k-bytes-of-single-line-event-by/m-p/214890#M63026 Masa 2015-09-07T17:17:40Z