Are you wanting to remove it for reporting purposes or to ensure Splunk accurately extracts the timestamp?
To ensure Splunk accurately extracts the timestamp, you may add this to your props.conf beneath the applicable sourcetype, host, or source stanza:
[relevant_stanza]
TIME_PREFIX = ^\<[^\>]+\>
You could also add the following settings in the same place. They would help with efficiency a bit but likely not be required:
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %b %d %T
The <135> shouldn't bother you during search time, but if it does - you can easily work around it using one of many techniques. Please let us know if it is a search-time question (with an example) and we'll focus on that instead.
Are you wanting to remove it for reporting purposes or to ensure Splunk accurately extracts the timestamp?
To ensure Splunk accurately extracts the timestamp, you may add this to your props.conf beneath the applicable sourcetype, host, or source stanza:
[relevant_stanza]
TIME_PREFIX = ^\<[^\>]+\>
You could also add the following settings in the same place. They would help with efficiency a bit but likely not be required:
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %b %d %T
The <135> shouldn't bother you during search time, but if it does - you can easily work around it using one of many techniques. Please let us know if it is a search-time question (with an example) and we'll focus on that instead.
Thanks! Just what I was looking for. 🙂