How to extract my event in index time using props.conf and transform .conf?
How to extract by event in index time to get expected format?
Actual format:
Tue Sep 26 11:38:08 EDT 2017 name="queue_browse" event_id="" queue_name="queue://DCS00/******" queue_length="1212" messages="ID:414d512044574343533030202020202059c473c8101beaf1,ID:414d512044574343533030202020202059c473c8101beaf2,ID:414d512044574343533030202020202059c473c8101beaf3" earliest_msg="1506093703930" latest_msg="1506337258320"
Expected Format:
Tue Sep 26 11:38:08 EDT 2017 name="queue_browse" event_id="" queue_name="queue://DCS00/******" queue_length="1212" earliest_msg="1506093703930" latest_msg="1506337258320"
@karthi2809 - are you saying that you don't want to extract the messages field at index time, or that you want to remove it from the _raw?
If the latter, then it's going to be a line like this in props.conf in the stanza for the appropriate [sourcetype]
SEDCMD-aremovemessage = s/^(.*?)(messages=\"[^\"]*\")(.*)$/\1\3/g
That translates as "find the first place we match messages="
, plus all the following stuff that isn't a quote, then a quote "
(call all of that messages="*"
chunk "group \2
") take everything before that (called "group \1
") and everything after that (called "group \3
"), and lump them together on the output".
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html
https://answers.splunk.com/answers/293060/how-to-configure-sedcmd-in-propsconf-to-delete-xml.html
I want to remove from _raw data
@karthi2809 - That's what that should do. Did it work?
Do you want to remove messages="..."
portion from your raw data?
yes i have to remove the message