How to escape the first line having ‘null’ char

sumanbej · ‎02-09-2013

I have a log file ( generated from the WAS server) having the first line like that :
null null null null...
Please help me how to excape that line from the Splunk conf files.

okrabbe_splunk · ‎02-09-2013

I imagine you wan't to discard the first line because it does not have useful date.

Please see this link on how to filter data out to the null queue. You would need to create a regular expression to match the line you want to remove.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

shaileshv02 · ‎02-19-2013

"Escape the first line" means the first line of the file contains binary data
Configs:
inputs.conf
[monitor://C:\AEP]
disabled = false
followTail = 0
index = main
sourcetype = log4j
CRCSALT =

props.conf
[log4j]
NO_BINARY_CHECK = True
TRUNCATE = 100000
[source::C:\AEP]
sourcetype = log4j
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = [\x00]
DEST_KEY = queue
FORMAT = nullQueue

Getting following error.
Access error while handling path: failed to open for checksum: 'C:\AEP\bw-timer-mm.log.3' (The process cannot access the file because it is being used by another process.)

martin_mueller · ‎02-09-2013

What do you mean by "escape the first line"?

How to escape the first line having ‘null’ char

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!