Hi,
I have this data that I'd like to index
000d6f0004349d51.1:
Label: Front Door
Manufacturer: SAMSUNG SDS
Model: SHN-WDD510
Firmware version: 0x00000005
Hardware version: 1
User Properties:
NearEndRssi: -54
NearEndLqi: 255
batteryLow: false
label: Front Door
deadboltJammed: false
Battery Operated: True
Voltage: 6.0V
FE radio: -57/255
NE radio: -54/255
Date added: Fri Dec 12 20:08:30 CST 2014
Date of last communication: Fri Feb 10 12:45:59 CST 2017
In Communication Failure: false
In firmware upgrade failure: false
Firmware upgrade available: false
Is Locked: true
Max Users: 100
Operation Mode: normal
Success.
Exiting
Opened at /java/lib/normal.dat
Opened at /java/lib/native.dat
I'd like to ignore
Success.
Exiting
Opened at /java/lib/normal.dat
Opened at /java/lib/native.dat
How would I go about doing that?
You should use SEDCMD
in your props.conf
This is not tested, but should work (Try it in your Dev environment before applying in production)
[YourSourceType]
SEDCMD-strip-msg = s/Success\.\n\sExiting\n\sOpened\sat\s\/java.+\n\sOpened\sat.+//g
Don't forget to restart the Splunk service after making these changes to props.conf
You should use SEDCMD
in your props.conf
This is not tested, but should work (Try it in your Dev environment before applying in production)
[YourSourceType]
SEDCMD-strip-msg = s/Success\.\n\sExiting\n\sOpened\sat\s\/java.+\n\sOpened\sat.+//g
Don't forget to restart the Splunk service after making these changes to props.conf
I updated the answer to give a safer regular expression
@dbcase.. Did this solve your question? If so then please accept the answer
FYI the data that I hope to ignore will ALWAYS be:
Success.
Exiting
Opened at /java/lib/normal.dat
Opened at /java/lib/native.dat