Trying to strip the header info out of the event below, leaving only the JSON. I've tried "|extract reload=true" but neither that nor restarting Splunk seems to be working. Must be something with my syntax. This example is trying to remove the first 2 lines (for sake of simplicity in getting it to work)
props.conf:
[akamai_post_json]
SEDCMD-httpheader = s/(?mg)^POST.*$\n|^User-Agent.*$\n|//g
The event:
POST / HTTP/1.1
User-Agent: curl/7.26.0
Host: localhost
Accept: */*
Content-Length: 2552
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------0b1c32056fc5
------------------------------0b1c32056fc5
Content-Disposition: form-data; name="fileupload"; filename="default_connector_schema_1.0.json"
Content-Type: application/octet-stream
{
"apiType" : "String",
"apiFormat" : "String",
"apiVersion" : 0,
"ID" : "String",
"startTime" : "String",
"eventType" : "String",
"cpCode" : 0,
"message" : {
"protocol" : "0",
"protoVersion" : 0,
"clientIP" : "String",
"reqPort" : 0,
"reqHost" : "String",
"reqMethod" : "String",
"reqPath" : "String",
"reqQuery" : "String",
"reqContType" : "String",
"reqContLen" : 0,
"sslProtocol" : "String",
"sslVersion" : 0,
"respStatus" : 0,
"respRedirURL" : "String",
"respContType" : "String",
"respContLen" : 0,
"respBytesServed" : 0,
"userAgent" : "String",
"originHostname" : "String"
},
"httpHeaders" : {
"reqHeader" : {
"accEnc" : "String",
"accLang" : "String",
"auth" : "String",
"cacheCtl" : "String",
"connection" : "String",
"contMD5" : "String",
"cookie" : "String",
"DNT" : "String",
"ifMatch" : "String",
"ifMod" : "String",
"ifNoMatch" : "String",
"pragma" : "String",
"range" : "String",
"referer" : "String",
"TE" : "String",
"upgrade" : "String",
"via" : "String",
"xFrwdFor" : "String",
"xReqWith" : "String"
},
"respHeader" : {
"cacheCtl" : "String",
"connection" : "String",
"contEnc" : "String",
"contLang" : "String",
"contLen" : "String",
"contMD5" : "String",
"contDisp" : "String",
"contRange" : "String",
"date" : "String",
"eTag" : "String",
"expires" : "String",
"lastMod" : "String",
"p3p" : "String",
"pragma" : "String",
"server" : "String",
"setCookie" : "String",
"trailer" : "String",
"transEnc" : "String",
"vary" : "String",
"warning" : "String",
"wwwAuth" : "String"
}
},
"performance" : {
"reqHeadSize" : 0,
"reqBodySize" : 0,
"respHeadSize" : 0,
"respBodySize" : "String",
"downloadTime" : "String",
"originName" : "String",
"originIP" : "String",
"originInitIP" : "String",
"originRetry" : 0,
"lastMileRTT" : 0,
"lastMileBW" : 0,
"netOriginRTT" : 0,
"cacheStatus" : "String",
"lastByte" : true,
"cliCountry" : "String",
"edgeIP" : "String",
"reqID" : "String"
}
}
------------------------------0b1c32056fc5--
... View more