Splunk Search

Strip date and hostname from search results

Path Finder

Is it possible to strip the date and hostname from the log entry search result that shows up in search?

I still want the date and hostname to be indexed, but currently the information shows up in multiple places. The date is shown to the left of each search result, and the host is shown underneath the search result (in "selected fields").

Is it also possible to make other "selected fields" (the ones that show up underneath each entry) not shown in the log? I'm not sure if this specific idea is a good one or not, but I'd be interested to try it.

Tags (1)
0 Karma
1 Solution

Path Finder

So I finally figured out how to do this.

On my indexer nodes I added the following to transforms.conf:

[syslog_strip_date_host]
SOURCE_KEY = _raw
REGEX = ^.*?\b\d\d:\d\d:\d\d\b\S* \S+\s*(.*)
FORMAT = $1
DEST_KEY = _raw

And added the following to props.conf

[syslog]
TRANSFORMS-date_host = syslog_strip_date_host

The regex looks for the first thing containing a date (\d\d:\d\d:\d\d) and deletes it and the next field (which is the host).


As a note for anyone else looking into this, doing a SEDCMD in props.conf does not work as the replacement occurs before indexing, so the host (and possibly time) doesn't get indexed. Using a transform seems to happen after indexing so it works.

View solution in original post

0 Karma

Path Finder

So I finally figured out how to do this.

On my indexer nodes I added the following to transforms.conf:

[syslog_strip_date_host]
SOURCE_KEY = _raw
REGEX = ^.*?\b\d\d:\d\d:\d\d\b\S* \S+\s*(.*)
FORMAT = $1
DEST_KEY = _raw

And added the following to props.conf

[syslog]
TRANSFORMS-date_host = syslog_strip_date_host

The regex looks for the first thing containing a date (\d\d:\d\d:\d\d) and deletes it and the next field (which is the host).


As a note for anyone else looking into this, doing a SEDCMD in props.conf does not work as the replacement occurs before indexing, so the host (and possibly time) doesn't get indexed. Using a transform seems to happen after indexing so it works.

View solution in original post

0 Karma

Legend

The "selected fields" that show beneath the events can be controlled by choosing "edit" in the Fields sidebar in the left panel. A popup window will open, allowing you to select any fields that you like - or to remove all of them from the list. Whatever you select will appear beneath the events in the search results.

AFAIK, you can't remove the timestamp from the left of the events.

However, you could do this

yoursearchhere | table _raw

This will show only the events. There will be no timestamp on the left or any selected fields beneath the events. However, you will not be able to click within the events to "drill down" the search.

0 Karma

Legend

You could do that when indexing the data, but it is an irreversable act and it will cost you some processing time to do it. I recommend against it.

0 Karma

Path Finder

I think you misunderstood my question. I want to keep the timestamp to the left and the hostname underneath. I want to remove them from the message.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!