Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I remove STDOUT prefix from log4j on a server.log file?

jefflanier
New Member
‎05-03-2016 09:07 AM

I've got a log file that has some log4j entries like this:

2016-05-03 10:32:35,895 INFO  [STDOUT] (http-0.0.0.0-8180-2) 2016-05-03 10:32:35,895 ERROR [com.somewhere.someservice] - Reason : ....

Where I'd like the first part of the line removed so Splunk simply sees the second timestamp ERROR part, but not the initial first timestamp INFO [STDOUT] ...part.

And in the same log file I've got other entries that only have one timestamp, log_level and category part to it like:

2016-05-03 09:05:20,783 INFO  [STDOUT] (main) **** something....

or 

2016-05-03 09:05:20,783 ERROR  [com.somewhere.someservice].....

I know I should probably adjust the log4j configuration in the JBoss webapp, but that's not an option, so I'm looking to fix this server side in the props/transforms file.

Any recommendations or can someone point me in the right direction?

0 Karma
Reply

somesoni2
Revered Legend
‎05-03-2016 10:35 AM

You can use SEDCMD to remove unwanted string from your events. Again, it's recommended that you fix this from source.

http://docs.splunk.com/Documentation/Splunk/6.2.9/Data/Anonymizedatausingconfigurationfiles

0 Karma
Reply

jefflanier
New Member
‎05-03-2016 11:51 AM

I'm not sure I understand how anonymizing the first part of the log entry is going to help. I don't want it showing up or getting indexed at all.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Top