- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to filter or extract fields before indexing t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, as long as you can formulate a regular expression that defines how Splunk should include or exclude data. You can either to nullQueue routing (= drop events altogether) or
Docs on how to use each: nullQueue routing - http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad
SEDCMD - http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf - see specification on SEDCMD at the middle of the page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source file
2013-11-01 11:11:11 f1 f2 f3 f4 f5 f6
2013-11-02 13:15:11 d1 d2 d3 d4 d5 d6
2013-11-02 14:23:22 e1 e2 e3 e4 e5 e6
2013-11-03 12:23:21 g1 g2 g3 g4 g5 g6
props.conf
[your_sourcetype]
TRANSFORMS-blah = keep235
transforms.conf
[keep235]
DEST_KEY = _raw
REGEX = ^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = $1 $2 $4 $5 $7
Result:
03/11/2013 12:23:21.000 2013-11-03 12:23:21 g2 g3 g5
02/11/2013 14:23:22.000 2013-11-02 14:23:22 e2 e3 e5
^Splunk parsed timestamp ^event timestamp ^less columns/fields
Hope this helps,
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source file
2013-11-01 11:11:11 f1 f2 f3 f4 f5 f6
2013-11-02 13:15:11 d1 d2 d3 d4 d5 d6
2013-11-02 14:23:22 e1 e2 e3 e4 e5 e6
2013-11-03 12:23:21 g1 g2 g3 g4 g5 g6
props.conf
[your_sourcetype]
TRANSFORMS-blah = keep235
transforms.conf
[keep235]
DEST_KEY = _raw
REGEX = ^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = $1 $2 $4 $5 $7
Result:
03/11/2013 12:23:21.000 2013-11-03 12:23:21 g2 g3 g5
02/11/2013 14:23:22.000 2013-11-02 14:23:22 e2 e3 e5
^Splunk parsed timestamp ^event timestamp ^less columns/fields
Hope this helps,
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, that's sweet!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, as long as you can formulate a regular expression that defines how Splunk should include or exclude data. You can either to nullQueue routing (= drop events altogether) or
Docs on how to use each: nullQueue routing - http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad
SEDCMD - http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf - see specification on SEDCMD at the middle of the page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANK YOU!
I have read some of related answers, and thought SEDCMD was just able to drop the content after a tag, nullQueue was "at event level"
Than i have to dig into "sed" tool. is there a awkcmd?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
