as I edit props.conf & transforms.conf to remove header of log , but it didn't work
here is my config:
[sourcetype] TRANSFORMS-skiphdr= setnull
[setnull] REGEX = DEST_KEY = queue FORMAT = nullQueue
Is there any idea or suggestion?
I'm assuming you put the correct regex in REGEX. See @nickhillscpl answer.
Here are some more ideas:
Remember to restart Splunk after making changes to configuration fies.
Also, you must put these settings on your Heavy Forwarder / Indexer. I will not work on a Universal Forwarder.
REGEX = does not contain anything.
If there is a header string you can identify, add this to the regex.
For example, if the first line of your log was:
-------Start of Log------
you might set
REGEX = \-+Start of Log\-+
Mar 12 14:52:42 x.x.x.x 1 2019-03-12T14:52:42Z x.x.x.x s1 ;
this is the header that I need to remove from Mar to 1 and this is my regex (x are octet of IP Add)
The REGEX line does not show anything. Is this correct? If not, use the Code Sample formatting for displaying special characters.
You will need a proper regular expression.
It will help us if you post the log header (anonymized).
When you post code (or regex) use the code tool to make sure it’s is formatted/displayed.
The code tool is the icon which looks like