Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does PREAMBLE_REGEX work on Windows Splunk but not Linux Splunk?

andrewtrobec
Motivator
‎07-28-2017 02:34 AM

Hello,

I am currently using the following REGEX for PREAMBLE_REGEX in props.conf which works on Splunk 6.4.x running on Windows:

(^|[\r\n])(Job\.Description[^\r\n]+|String[^\r\n]+)

This is used to tell Splunk to skip the second and third lines of log files which always start:

Job.Description,Job.NumJobWaitEvents...
String,Integer,Integer...

I've since migrated my app to a Splunk 6.4.x instance running on Linux, but it doesn't work anymore (the lines aren't ignored). What changes should I be looking out for to ensure that the regular expression works in Linux as well?

Thank you and best regards,

Andrew

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-28-2017 02:53 AM

Try:

^(Job\.Description.+|String,.+)$

It should work the same way as your regex, but it's simpler. That might make a difference.

Reply

andrewtrobec
Motivator
‎08-03-2017 08:26 AM

Thanks for the input. The REGEX works but doesn't solve the problem. I've found what I was looking for here:

https://answers.splunk.com/answers/209824/how-to-get-splunk-to-ignore-the-second-line-of-a-l.html

Suggestion was to use a null-queue transform by modifying props.conf and transforms.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...