Deployment Architecture
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- forwarded data remove timestamp and host
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forwarded data remove timestamp and host
KhalidAlharthi
Explorer
06-10-2024
03:26 PM
is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended
i have configuered outputs.conf,props.conf,transforms.conf
is there a way to remove the priority and hostname associated with timestamp on the third-party system
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KhalidAlharthi
Explorer
06-10-2024
04:04 PM
@KendallW Thanks for responding to this matter
could you please give example cuz i don't understand it quite good .
for example this log
Jul 14 14:15:56 10.128.213.50 Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900
i want to remove the timestamp and host at the beginning of the event
this happened because the non syslog source type i guess and i want this to be removed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KendallW
Contributor
06-10-2024
04:19 PM
Hi @KhalidAlharthi try this in props.conf (on indexer or HF)
PREAMBLE_REGEX = \w{3}\s(\d{2}[\s\:]){4}(\d{1,3}\.){3}\d{1,3}\s\w{3}\s(\d{2}[\s\:]){4}[^\s]+\s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KhalidAlharthi
Explorer
06-10-2024
04:48 PM
Can you see your private messages if you don't mind
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KendallW
Contributor
06-10-2024
03:52 PM
You can do this with PREAMBLE_REGEX in props.conf
PREAMBLE_REGEX = <regex> * A regular expression that lets Splunk software ignore "preamble lines", or lines that occur before lines that represent structured data. * When set, Splunk software ignores these preamble lines, based on the pattern you specify. * Default: not set
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcment
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
