Re: I have log files. I want to ignore all the lin...

saibal6 · ‎03-13-2018

EVENT_SESH;0;01/03/2018 22:57:27:5000;1;1;0;;;END OF IMPORT PROCESS FOR THE MASTER STORE - PENDING_TXT(0)

after this line I want to ignore all the lines before indexing from the log files. Please suggest me how can i do this with the help of sedcmd command. I am using universal forwarder.

Please also tell me the exact path where I have to make changes for props.conf. I'm using windows OS

JDukeSplunk · ‎03-15-2018

This answer might help you.

https://answers.splunk.com/answers/594894/blacklist-log-events-not-log-filenames-using-a-str.html

This basically black-holes data that meets a specific regex. Of course, if the lines are not uniform this will be difficult.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad

saibal6 · ‎03-13-2018

forgot to mention my source name (source: D:\CentralData\MONACO)

I have log files. I want to ignore all the lines after a particular line from a log file. Can I do this with the help of sedcmd command? If yes then please tell me how can I do that?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

I have log files. I want to ignore all the lines after a particular line from a log file. Can I do this with the help of sedcmd command? If yes then please tell me how can I do that?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers