hello,
I am trying nullQueue but I think it discards the entire event, is there a syntax that just discards lines but keeps the rest of the event? This is for a multiline event. Thanks,
No, if you really want to discard part of an event you're going to need to use a SEDCMD
directive in props.conf:
SEDCMD-<name> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit card or social
security numbers. For more information, search the online documentation for "anonymize
data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the following subset of
sed commands is supported:
* replace (s) and character substitution (y).
* Syntax:
* replace - s/regex/replacement/flags
* regex is a perl regular expression (optionally containing capturing groups).
* replacement is a string to replace the regex match. Use \n for backreferences,
where "n" is a single digit.
* flags can be either: g to replace all matches, or a number to replace a specified
match.
* substitute - y/string1/string2/
* substitutes the string1[i] with string2[i]
Try:
[my_sourcetype]
SEDCMD-null = s/^Status_.*$//
does this look right, it's not deleting the lines yet
[my_sourcetype] SEDCMD-null = s/^Status_[^$]*$//