×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
DoubleAka
Observer
Member since: ‎07-23-2024
‎07-26-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-23-2024
Activity Feed
View All

Re: Slice Messages Before Search Time

by in Getting Data In
‎07-25-2024 07:56 AM
‎07-25-2024 07:56 AM
Yes that is me, I am sorry for the using two channels for the same question, after asking in the Slack I searched again about the issue on the web but could not find any previous questions. Therefore I realized it could be better to ask here for future Splunk explorer. However eventually I was able to resolve the issue by editing my third party source code (not my Splunk UF) to produce valid formatted JSON messages. So problem is solved but not in conventional ways. For this reason I this think the question should be completely deleted in order to avoid future confusion. How can I remove this question completely? ... View more

Slice Messages Before Search Time

by in Getting Data In
‎07-23-2024 02:01 AM
‎07-23-2024 02:01 AM
How can I cut some parts of my message prior to index time? I tried to use both SEDCMD and transform on raw messages but I still get the full content each time. Here is my current props configuration: [ETW_SILK_JSON] description = silk etw LINE_BREAKER = ([\r\n]+"event":) SHOULD_LINEMERGE = false CHARSET = UTF-8 TRUNCATE = 0 # TRANSFORMS-cleanjson = strip_event_prefix SEDCMD-strip_event = s/^"event":\{\s*// And my message sample: "event":{{"ProviderGuid":"7dd42a49-5329-4832-8dfd-43d979153a88","YaraMatch":[],"ProviderName":"Microsoft-Windows-Kernel-Network","EventName":"KERNEL_NETWORK_TASK_TCPIP/Datareceived.","Opcode":11,"OpcodeName":"Datareceived.","TimeStamp":"2024-07-22T14:29:27.6882177+03:00","ThreadID":10008,"ProcessID":1224,"ProcessName":"svchost","PointerSize":8,"EventDataLength":28,"XmlEventData":{"FormattedMessage":"TCPv4: 43 bytes received from 1,721,149,632:15,629 to -23,680,832:14,326. ","connid":"0","sport":"15,629","_PID":"820","seqnum":"0","MSec":"339.9806","saddr":"1,721,149,632","size":"43","PID":"1224","dport":"14,326","TID":"10008","ProviderName":"Microsoft-Windows-Kernel-Network","PName":"","EventName":"KERNEL_NETWORK_TASK_TCPIP/Datareceived.","daddr":"-23,680,832"}}} I want to get rid of the "event" prefix but none of the optios seems to work. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-26-2024 12:11 PM