Is it possiple to remove information from the column "Event" in the search app view? Some values have allready been extracted, so I would like to remove them from the event column.
Current text in column "Event":
time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message
New:
LOG: A long long log message
Is that possible? How to do this?
The event column shows the raw event.
Technically, you could do an | eval _raw=...
command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"
Hello,
can you past this example in your barre search:
| makeresults | eval _raw="time=2018-04-30 10:39:16.652 CEST processID=12116 appname= username= dbname= remoteHost= sessionid=5ae6d634.2f54 message=LOG: A long long log message" | rex "message=(?<_raw>.*)"
The event column shows the raw event.
Technically, you could do an | eval _raw=...
command to apply some kind of eval functions on the _raw field, to only display the part you are looking for. Or specifically for your example: | rex "message=(?<_raw>.*)"
This is working for one line, as we have the same prefix with a different log message on the second line (was my fault, I didn't mention that) I used
| rex max_match=0 "message=(?<_raw>.*)"
Now it's working fine. Thank you very much.
You should not remove these during indexing, because it will most likely break all your field extractions unless all these information has been extracted as index time fields, which it most likely isn't.
You could use a regex like this:
.*\smessage=(?<_raw>.*)$
This would replace the _raw
field, which is what you're getting displayed as the actual event text.
So, you can simply set up a props.conf
like this:
[your-sourcetype]
EXTRACT-shorten_raw_text = .*\smessage=(?<_raw>.*)$
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂