Solved: remove prefix on every events using SEDCMD

roopeshetty · ‎01-18-2024

Hi Guys

We are getting logs through syslog with its priority / facility data “ <14>1” prepended with every events as below;

<14>1 2024-01-18T13:45:06.621+0000 756565656565701b-cd27-475e-bab4-3e0e0893d273

<14>1 2024-01-18T13:39:47.014+0000 565gt5t54t-cd27-475e-bab4-565656565gh

We are trying to remove this prefix texts “<14>1” using SEDCMD on props.conf as below;

[source::tcp:7514]

SEDCMD-strip-tcp-priority=s/^<\d+>//

This is doing almost very close help by removing “<14>” but still “1” is coming up in events. Can some one please help us how to remove this prefix “ <14>1” on every events using SEDCMD ?

Regards.

ITWhisperer · ‎01-18-2024

SEDCMD-strip-tcp-priority=s/^<\d+>\d//

View solution in original post

ITWhisperer · ‎01-18-2024

SEDCMD-strip-tcp-priority=s/^<\d+>\d//

roopeshetty · ‎01-18-2024

Hi ITWhisperer,

Thanks, its almost done, but i see a space (gap) before the timestamp, how can we delete this space?

ITWhisperer · ‎01-18-2024

SEDCMD-strip-tcp-priority=s/^<\d+>\d\s//

PickleRick · ‎01-18-2024

If you need to tweak your regexes, that's a great interactive tool to test them.

https://regex101.com/

remove prefix on every events using SEDCMD

props.conf

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...