I've got a log file that has some log4j entries like this:
2016-05-03 10:32:35,895 INFO [STDOUT] (http-0.0.0.0-8180-2) 2016-05-03 10:32:35,895 ERROR [com.somewhere.someservice] - Reason : ....
Where I'd like the first part of the line removed so Splunk simply sees the second timestamp ERROR part, but not the initial first timestamp INFO [STDOUT] ...part.
And in the same log file I've got other entries that only have one timestamp, log_level and category part to it like:
2016-05-03 09:05:20,783 INFO [STDOUT] (main) **** something....
or
2016-05-03 09:05:20,783 ERROR [com.somewhere.someservice].....
I know I should probably adjust the log4j configuration in the JBoss webapp, but that's not an option, so I'm looking to fix this server side in the props/transforms file.
Any recommendations or can someone point me in the right direction?
... View more