I want to be able to get rid of the time in _raw messages. For example the raw message:
2013-07-31 09:38:44 [<ffffffff81134262>] ? try_to_free_pages+0x92/0x120
Jul 31 11:09:37 edge10 xinetd[3162]: EXIT: mshell status=0 pid=12245 duration=0(sec)
Becomes
2013-07-31 [<ffffffff81134262>] ? try_to_free_pages+0x92/0x120
Jul 31 edge10 xinetd[3162]: EXIT: mshell status=0 pid=12245 duration=0(sec)
It would be nice to get rid of the date but for now all I need is the time gone.
at search time, use the rex command, with the sed mode to replace the date/time before displaying.
Splunk will still use the timestamp extracted to qualify the events.
< mysearch > | rex mode=sed "s/\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}//g" | table _raw
see http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex
At index time, use the same approach with a props.conf rule on the indexer. But I am not sure of which timestamp will be used by splunk.
[mysourcetype]
SEDCMD=s/\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}//g
see http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Anonymizedatausingconfigurationfiles
at search time, use the rex command, with the sed mode to replace the date/time before displaying.
Splunk will still use the timestamp extracted to qualify the events.
< mysearch > | rex mode=sed "s/\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}//g" | table _raw
see http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex
seems to work for the time but not of course for the date
Might work for some cases but I can't tell as there are other cases not covered by this regex, I'll add the issue.