Getting Data In

the beginning and end of the event

DuXa
New Member

Hello, i have logs with some event. I want see only my event. How i can remove another information. My event bigins at:"main: number of bytes received: 489" and finish at: "Send msg to queue *******" Could you help me in skype digilan007

6| set_buffer_mode: stderr is line-buffered
6| Opened txrout.out, Mar 27 at 09:38:00

6| #!# SVFE Ver. 2.2.7 build 20050624 #!#
6| =>COMMIT_WORK (db_login.pc)
0|


Task with ID = 11 is waiting for the message to arrive on the queue 34471943.
49395| main: number of bytes received: 63
49395| 09:41:18
49395| main: Found message format 1.00
49395| =>sv_msg2msgx_ent (tag_utils.c)
49395| =>svm_dprint (sv_message.c 10.4)
49395| svm_dprint: Message v1.00
umsgnum = 00000000 org_pid = 00000000
dest_pid = 00000000 timestamp_in = 1301204478
msg_size = 00000007 msgtype = 00000022
direction = 00000000 dev_proc_id = 00000000
org_dev_qid = 34471943 49395| BITS: 49395|

...................................................................................................
0| =>get_from_addldata (tag_utils.c)
0| get_from_addldata:Input dptr=0x0x600fffffffef6fc8 limit=0x0x600fffffffef6fc8
0| Tag 0xBD SVT_ACTION is not present in bpc_addldata
0| txn_needs_new_routing: return FALSE
0| =>COMMIT_WORK (db_login.pc)

Tags (2)
0 Karma

yannK
Splunk Employee
Splunk Employee

As Kristian said in the comment, you probably want to redefine the way you want splunk to parse your events.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents

Then once you isolated the pieces : delete the useless events (see nullQueue), or reformat them using (SEDCMD)
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles

0 Karma

kristian_kolb
Ultra Champion

Hi, your sample data does not correspond with the event delimiters you specify. (There is no line "Send message to queue..."). Also, this is the user forum, not an official support site - maybe someone will call you on skype, but you shouldn't count on it.

In general, it would probably be good to study the documentation sections for props.conf, more specifically around the parameters for breaking the incoming data stream into events (BREAK_ONLY_BEFORE... MUST_NOT_BREAK...), and possibly also the docs on anonymizing data, which could be a means for removing the unwanted lines.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles

/k

jackson1990
Path Finder

Which are all the information,you want to remove.Can u please be more specific on your query?

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...