Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove syslog prefix from Json

vbotnari1
Engager
‎07-11-2019 08:23 AM

I have a Json log which looks like this

Jul 11 14:37:48 darktrace-dt-722-01 darktrace {"creationTime":1562855937000,"breachUrl":...}

I have to remove the timestamp hostanem, all syslog prefixes until {

This is how my props.conf looks like

[darktrace]
SEDCMD-StripHeader = ^([^\{]+) 
KV_MODE = json
pulldown_type = true
category = Structured
description = darktrace

But it doesn't work. I tried INDEXED_EXTRACTIONS = json as well without success.

Any help is appreciated. Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-11-2019 11:55 AM

It must be an actual sed command like this:

 SEDCMD-StripHeader = s/^[^\{]+//

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-11-2019 11:55 AM

It must be an actual sed command like this:

 SEDCMD-StripHeader = s/^[^\{]+//
Reply
Solved! Jump to solution

vbotnari1
Engager
‎07-12-2019 12:29 AM

Thank you @woodcock . I tried your suggested sed command but it did nothing.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-12-2019 06:58 AM

If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...