Getting Data In

How to pull out a header before indexing?

Path Finder

I am attempting to index some SSRS logs. Each log file has a header at the beginning of the file. I would like to pull out the header before indexing. I attempted to use PREAMBLE_REGEX but I can not get it to work. The header always has the following format:

A LOT of text

I know there has to be a way to pull it out but either I am going down the wrong track with PREAMBLE_REGEX or I have a flaw in my code. Any advice is welcome.

Tags (3)
0 Karma
1 Solution

Builder

Try this

[<< sourcetype >>]
TRANSFORMS-skiphdr= skipheaderlogfile

[skipheaderlogfile]
REGEX = << 20-30 characters of your header line >>
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Builder

Try this

[<< sourcetype >>]
TRANSFORMS-skiphdr= skipheaderlogfile

[skipheaderlogfile]
REGEX = << 20-30 characters of your header line >>
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Splunk Employee
Splunk Employee

On your forwarder where you are getting this data update your props.conf with this line from @jayannah

[<< sourcetype >>]
TRANSFORMS-skiphdr= skip_header_logfile

Then create a transforms.conf in the same location and add these lines by @jayannah

[skip_header_logfile]
REGEX = << 20-30 characters of your header line >>
DEST_KEY = queue
FORMAT = nullQueue