Splunk Search

Remove additional timestamp from the logs

zaan
New Member

Hi All

i have onboarded linux logs from S3--> Splunk . I found additional timestamp is getting attached to the events. Can you please help me in removing the additional timestamp. Below is the expected log format.

Before,

2020-07-01T10:59:58Z messages {"message":"Jun 1 10:59:58 stg-coinbrh: [get_meta] Trying to get http://10.4.3.1/latest/meta-data/network/interfaces/macs/06:c3:45:12:56:12/subnet-ipv4-cidr-block"}
2020-07-01T10:59:58Z messages {"message":"Jun 4 10:59:58 stg-mbcoln: [rewrite_aliases] Rewriting aliases of eth0"}

After,

Jun 1 10:59:58 stg-coinbrh: [get_meta] Trying to get http://10.4.3.1/latest/meta-data/network/interfaces/macs/06:c3:45:12:56:12/subnet-ipv4-cidr-block

Jun 4 10:59:58 stg-mbcoln: [rewrite_aliases] Rewriting aliases of eth0

Please help me in defining exact props and transforms settings to achieve this.

 

Thanks in advance

 

 

Labels (2)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Depending on how you're getting the data from S3 to Splunk there may be other, better answers, but using SEDCMD should work.  Add this line to the props.conf file for the sourcetype.

SEDCMD-unjson = s/\{"message":"(.*)"}/\1/g

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!