forwarded data remove timestamp and host

KhalidAlharthi · ‎06-10-2024

is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended

i have configuered outputs.conf,props.conf,transforms.conf

is there a way to remove the priority and hostname associated with timestamp on the third-party system

thanks

KhalidAlharthi · ‎06-10-2024

@KendallW Thanks for responding to this matter

could you please give example cuz i don't understand it quite good .

for example this log

Jul 14 14:15:56 10.128.213.50 Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900

i want to remove the timestamp and host at the beginning of the event

this happened because the non syslog source type i guess and i want this to be removed

KendallW · ‎06-10-2024

Hi @KhalidAlharthi try this in props.conf (on indexer or HF)
PREAMBLE_REGEX = \w{3}\s(\d{2}[\s\:]){4}(\d{1,3}\.){3}\d{1,3}\s\w{3}\s(\d{2}[\s\:]){4}[^\s]+\s

KhalidAlharthi · ‎06-10-2024

Can you see your private messages if you don't mind

KendallW · ‎06-10-2024

Hi @KhalidAlharthi

You can do this with PREAMBLE_REGEX in props.conf

PREAMBLE_REGEX = <regex>
* A regular expression that lets Splunk software ignore "preamble lines",
  or lines that occur before lines that represent structured data.
* When set, Splunk software ignores these preamble lines,
  based on the pattern you specify.
* Default: not set

forwarded data remove timestamp and host

heavy forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?