Re: forwarded data remove timestamp and host

KhalidAlharthi · ‎06-10-2024

is there a way to remove the header comes with non syslog source types that include hostname and timestamp with priority at the begnning of the event sended

i have configuered outputs.conf,props.conf,transforms.conf

is there a way to remove the priority and hostname associated with timestamp on the third-party system

thanks

KhalidAlharthi · ‎06-10-2024

@KendallW Thanks for responding to this matter

could you please give example cuz i don't understand it quite good .

for example this log

Jul 14 14:15:56 10.128.213.50 Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900

i want to remove the timestamp and host at the beginning of the event

this happened because the non syslog source type i guess and i want this to be removed

KendallW · ‎06-10-2024

Hi @KhalidAlharthi try this in props.conf (on indexer or HF)
PREAMBLE_REGEX = \w{3}\s(\d{2}[\s\:]){4}(\d{1,3}\.){3}\d{1,3}\s\w{3}\s(\d{2}[\s\:]){4}[^\s]+\s

KhalidAlharthi · ‎06-10-2024

Can you see your private messages if you don't mind

KendallW · ‎06-10-2024

Hi @KhalidAlharthi

You can do this with PREAMBLE_REGEX in props.conf

PREAMBLE_REGEX = <regex>
* A regular expression that lets Splunk software ignore "preamble lines",
  or lines that occur before lines that represent structured data.
* When set, Splunk software ignores these preamble lines,
  based on the pattern you specify.
* Default: not set

forwarded data remove timestamp and host

heavy forwarder

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?