Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Remove additional timestamp from the logs

zaan
New Member
‎07-01-2020 08:38 AM

Hi All

i have onboarded linux logs from S3--> Splunk . I found additional timestamp is getting attached to the events. Can you please help me in removing the additional timestamp. Below is the expected log format.

Before,

2020-07-01T10:59:58Z messages {"message":"Jun 1 10:59:58 stg-coinbrh: [get_meta] Trying to get http://10.4.3.1/latest/meta-data/network/interfaces/macs/06:c3:45:12:56:12/subnet-ipv4-cidr-block"}
2020-07-01T10:59:58Z messages {"message":"Jun 4 10:59:58 stg-mbcoln: [rewrite_aliases] Rewriting aliases of eth0"}

After,

Jun 1 10:59:58 stg-coinbrh: [get_meta] Trying to get http://10.4.3.1/latest/meta-data/network/interfaces/macs/06:c3:45:12:56:12/subnet-ipv4-cidr-block

Jun 4 10:59:58 stg-mbcoln: [rewrite_aliases] Rewriting aliases of eth0

Please help me in defining exact props and transforms settings to achieve this.

 

Thanks in advance

 

 

Labels (2)
Labels
Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2020 10:13 AM

Depending on how you're getting the data from S3 to Splunk there may be other, better answers, but using SEDCMD should work.  Add this line to the props.conf file for the sourcetype.

SEDCMD-unjson = s/\{"message":"(.*)"}/\1/g

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...