I am investigating one of the log files in an application I want to monitor.
It seems there are over 100 lines at the start with information about the environment, startup parameters etc. I'm not really interested in that.
There is a line with the text "Logging starting..." or something similar.
What would the best way to tell Splunk to skip ahead until this particular line is found and start after that line? The lines following look like normal timestamped events with each event on a single line.
hi @cmorrall
try like this
index="_internal" |head 2 |eval Apples=50,Bananas=44,results="Logout" |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logging starting" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |table Apples Bananas results |streamstats count as counting |where counting > [search index="_internal" |head 2 |eval Apples=50,Bananas=44,results="Logout" |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logging starting" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |table Apples Bananas results |streamstats count as counting1 |where results="Logging starting"|return $counting1]
1) Are you saying that, when ingesting and indexing a file, you want to ignore all the records up to and including that text? If so, we will need the exact text and all "something similars" that you want to key on.
2) What kind of file is this? Is the entire file being added once, or is the same file being monitored as it is written to?