Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: nullQueue transformation behavior in a multili...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nullQueue transformation behavior in a multiline event
I am indexing a series of files where each file is a single, multiline event. Each file has series of pound sign prefixed comment lines at the beginning and the end. My nullQueue transformation removes the lines at the beginning but not the ones at the end. The transformation regex is ^#
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First a question: what are you using to identify the linebreaking rule to Splunk? Anything?
If you are letting Splunk do automatic linebreaking, you could set
MUST_BREAK_AFTER = ^#
in props.conf
That would force each one of the comment lines to be a separate event, and then all the comment lines would be picked up by your transformation. This may leave one of the comment lines attached to the end of the event, though. Is there some sort of tag or other info that would identify the end of the real event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easy to define a field for this. In props.conf:
[yoursourcetypehere]
EXTRACT-e42=(?<first_char>.)
In your search:
yoursearchhere AND first_char!="#"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not averse to actually indexing the comments (I have the capacity). I just need a way to suppress the display of them. Is it possible to capture them as a field and somehow prevent the field from displaying in the search window?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately I am not permitted to post this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show the first 10 or so lines of the log file (anonymized of course)? I'd like to see the first few lines,including the line containing the timestamp. Same for the end of the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a step in the right direction as it prevented the first "good" line after the leading #s from being removed. This still left the #s at the end, even after specifying _AFTER and _BEFORE. BREAK_ONLY_BEFORE_DATE = false handled the trailing #s but now broke the event up into individual lines.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
