- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to extract my event in index time using props....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract my event in index time using props.conf and transforms.conf?
How to extract my event in index time using props.conf and transform .conf?
How to extract by event in index time to get expected format?
Actual format:
Tue Sep 26 11:38:08 EDT 2017 name="queue_browse" event_id="" queue_name="queue://DCS00/******" queue_length="1212" messages="ID:414d512044574343533030202020202059c473c8101beaf1,ID:414d512044574343533030202020202059c473c8101beaf2,ID:414d512044574343533030202020202059c473c8101beaf3" earliest_msg="1506093703930" latest_msg="1506337258320"
Expected Format:
Tue Sep 26 11:38:08 EDT 2017 name="queue_browse" event_id="" queue_name="queue://DCS00/******" queue_length="1212" earliest_msg="1506093703930" latest_msg="1506337258320"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthi2809 - are you saying that you don't want to extract the messages field at index time, or that you want to remove it from the _raw?
If the latter, then it's going to be a line like this in props.conf in the stanza for the appropriate [sourcetype]
SEDCMD-aremovemessage = s/^(.*?)(messages=\"[^\"]*\")(.*)$/\1\3/g
That translates as "find the first place we match messages=", plus all the following stuff that isn't a quote, then a quote " (call all of that messages="*" chunk "group \2") take everything before that (called "group \1") and everything after that (called "group \3"), and lump them together on the output".
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html
https://answers.splunk.com/answers/293060/how-to-configure-sedcmd-in-propsconf-to-delete-xml.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to remove from _raw data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthi2809 - That's what that should do. Did it work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to remove messages="..." portion from your raw data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes i have to remove the message
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
