Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwarded data remove timestamp and host

KhalidAlharthi
Explorer
‎06-10-2024 03:26 PM

is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended

 

i have configuered outputs.conf,props.conf,transforms.conf

 

is there a way to remove the priority and hostname associated with timestamp on the third-party system

 

thanks

Labels (1)
Labels
0 Karma
Reply

KhalidAlharthi
Explorer
‎06-10-2024 04:04 PM

@KendallW Thanks for responding to this matter 

 

could you please give example cuz i don't understand it quite good .

for example this log 

Jul 14 14:15:56 10.128.213.50 Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900

 

i want to remove the timestamp and host at the beginning of the event 

 

this happened because the non syslog source type i guess and i want this to be removed

0 Karma
Reply

KendallW
Contributor
‎06-10-2024 04:19 PM

Hi @KhalidAlharthi try this in props.conf (on indexer or HF)
PREAMBLE_REGEX = \w{3}\s(\d{2}[\s\:]){4}(\d{1,3}\.){3}\d{1,3}\s\w{3}\s(\d{2}[\s\:]){4}[^\s]+\s

0 Karma
Reply

KhalidAlharthi
Explorer
‎06-10-2024 04:48 PM

Can you see your private messages if you don't mind

0 Karma
Reply

KendallW
Contributor
‎06-10-2024 03:52 PM

Hi @KhalidAlharthi 

You can do this with PREAMBLE_REGEX in props.conf

PREAMBLE_REGEX = <regex>
* A regular expression that lets Splunk software ignore "preamble lines",
  or lines that occur before lines that represent structured data.
* When set, Splunk software ignores these preamble lines,
  based on the pattern you specify.
* Default: not set
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...