Solved: Re: Remove syslog prefix from Json

vbotnari1 · ‎07-11-2019

I have a Json log which looks like this

Jul 11 14:37:48 darktrace-dt-722-01 darktrace {"creationTime":1562855937000,"breachUrl":...}

I have to remove the timestamp hostanem, all syslog prefixes until {

This is how my props.conf looks like

[darktrace]
SEDCMD-StripHeader = ^([^\{]+) 
KV_MODE = json
pulldown_type = true
category = Structured
description = darktrace

But it doesn't work. I tried INDEXED_EXTRACTIONS = json as well without success.

Any help is appreciated. Thanks

woodcock · ‎07-11-2019

It must be an actual sed command like this:

 SEDCMD-StripHeader = s/^[^\{]+//

View solution in original post

woodcock · ‎07-11-2019

It must be an actual sed command like this:

 SEDCMD-StripHeader = s/^[^\{]+//

vbotnari1 · ‎07-12-2019

Thank you @woodcock . I tried your suggested sed command but it did nothing.

woodcock · ‎07-12-2019

If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

Remove syslog prefix from Json

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms