Splunk Search

Skip indexing one line

Glace
Explorer

Hello,

im trying to skip one line while indexing whole file.

This is the line im trying to skip.

Trace Opening D:/nlog-all-2020-09-04.log with allowFileSharedWriting=False

It changes time stamp as u can see in title of the file.

How can i achieve it easiest way please?

Labels (5)
0 Karma

to4kawa
SplunkTrust
SplunkTrust

props.conf

SEDCMD-trim=s/Trace Opening.*//

SHOULD_LINEMERGE=false

0 Karma

Glace
Explorer

Still dont work. Maybe because that line starts with date + time? Is that possible?

All lines in that file starts with date + time but only the trace opening one is unwanted.

0 Karma

soutamo
SplunkTrust
SplunkTrust
Hi
It's easier to help you, if you post real sample which whole line instead of tell partially what it contains.
r. Ismo
0 Karma

to4kawa
SplunkTrust
SplunkTrust

now, I can't verify REGEX.please fix it.

I just recommend that try SEDCMD to delete extra line.

0 Karma

Nisha18789
Builder

Hi @Glace , could you please advise whether this line is one event or its part of an event when you are trying to ingest the log file in Splunk?

0 Karma

Glace
Explorer

Hi @Nisha18789. This is one event.

0 Karma