Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Manipulate logs in upload

alisaf
New Member
‎08-07-2019 12:29 AM

Hi,
I have logs that have in the top some data that doesn't relevant for me and I would like that it won't appear.

This is the data that I would like to remove:

Device version: D02.20.33
MCFG Version: Unknown

UP TIME: 00:05:24.292

emory pool at 0x000000008f000000, size 8 MiB

also, I have some rows in the log that not include a timestamp and I want to add the same timestamp as the one in the next line. for example, this is the logs:
--------- beginning of events
01-15 04:17:19.370 453 453 I auditd : type=2000 audit(0.0:1): initialized

and I would like that it will be:
01-15 04:17:19.370 453 453 --------- beginning of events
01-15 04:17:19.370 453 453 I auditd : type=2000 audit(0.0:1): initialized

can I do that with Splunk when I'm uploading the logs?
Thank you!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 05:36 AM

The first part probably can be done using SEDCMD in props.conf if you can come up with a regex that matches the lines to remove.
The second part, however, is not possible in Splunk. You'll need to create a scripted input or use a pre-processor such as Cribl (not sure Cribl can do that, though).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

alisaf
New Member
‎08-07-2019 07:48 AM

Thank you!
Splunk default associates this line to the previous event, maybe there is some option to associate this line with the next event?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 09:45 AM

There is no such option. That's why I said "not possible".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

alisaf
New Member
‎08-07-2019 10:49 PM

thanks 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...