- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Strip date and hostname from search results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to strip the date and hostname from the log entry search result that shows up in search?
I still want the date and hostname to be indexed, but currently the information shows up in multiple places. The date is shown to the left of each search result, and the host is shown underneath the search result (in "selected fields").
Is it also possible to make other "selected fields" (the ones that show up underneath each entry) not shown in the log? I'm not sure if this specific idea is a good one or not, but I'd be interested to try it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I finally figured out how to do this.
On my indexer nodes I added the following to transforms.conf:
[syslog_strip_date_host]
SOURCE_KEY = _raw
REGEX = ^.*?\b\d\d:\d\d:\d\d\b\S* \S+\s*(.*)
FORMAT = $1
DEST_KEY = _raw
And added the following to props.conf
[syslog]
TRANSFORMS-date_host = syslog_strip_date_host
The regex looks for the first thing containing a date (\d\d:\d\d:\d\d) and deletes it and the next field (which is the host).
As a note for anyone else looking into this, doing a SEDCMD in props.conf does not work as the replacement occurs before indexing, so the host (and possibly time) doesn't get indexed. Using a transform seems to happen after indexing so it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I finally figured out how to do this.
On my indexer nodes I added the following to transforms.conf:
[syslog_strip_date_host]
SOURCE_KEY = _raw
REGEX = ^.*?\b\d\d:\d\d:\d\d\b\S* \S+\s*(.*)
FORMAT = $1
DEST_KEY = _raw
And added the following to props.conf
[syslog]
TRANSFORMS-date_host = syslog_strip_date_host
The regex looks for the first thing containing a date (\d\d:\d\d:\d\d) and deletes it and the next field (which is the host).
As a note for anyone else looking into this, doing a SEDCMD in props.conf does not work as the replacement occurs before indexing, so the host (and possibly time) doesn't get indexed. Using a transform seems to happen after indexing so it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "selected fields" that show beneath the events can be controlled by choosing "edit" in the Fields sidebar in the left panel. A popup window will open, allowing you to select any fields that you like - or to remove all of them from the list. Whatever you select will appear beneath the events in the search results.
AFAIK, you can't remove the timestamp from the left of the events.
However, you could do this
yoursearchhere | table _raw
This will show only the events. There will be no timestamp on the left or any selected fields beneath the events. However, you will not be able to click within the events to "drill down" the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do that when indexing the data, but it is an irreversable act and it will cost you some processing time to do it. I recommend against it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you misunderstood my question. I want to keep the timestamp to the left and the hostname underneath. I want to remove them from the message.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
