How to remove header of a log?

sabaKhadivi · ‎03-12-2019

as I edit props.conf & transforms.conf to remove header of log , but it didn't work
here is my config:

props.conf

[sourcetype]
TRANSFORMS-skiphdr= setnull

transforms.conf

[setnull]
REGEX = 
DEST_KEY = queue
FORMAT = nullQueue

Is there any idea or suggestion?

whrg · ‎03-12-2019

I'm assuming you put the correct regex in REGEX. See @nickhillscpl answer.

Here are some more ideas:

Remember to restart Splunk after making changes to configuration fies.

Also, you must put these settings on your Heavy Forwarder / Indexer. I will not work on a Universal Forwarder.

sabaKhadivi · ‎03-12-2019

@whrg yes,It's heavy forwarder , and I restart splunk service after changes.

nickhills · ‎03-12-2019

Your REGEX = does not contain anything.

If there is a header string you can identify, add this to the regex.

For example, if the first line of your log was:
-------Start of Log------
you might set REGEX = \-+Start of Log\-+

If my comment helps, please give it a thumbs up!

sabaKhadivi · ‎03-12-2019

yes ,I add the regex of unused part of log

nickhills · ‎03-12-2019

Can you post a copy of the log header and your regex - please use the code formatter which looks like 101010

If my comment helps, please give it a thumbs up!

sabaKhadivi · ‎03-12-2019

REGEX = ^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s([0-2]\d|3[0-1])\s[0-2]\d:[0-5]\d:[0-5]\d 10.10.10.5\s1\s

useless part of my log is:
Mar 12 15:11:57 10.10.10.5 1

whrg · ‎03-13-2019

Your REGEX looks too complicated. Try to simplify/shorten it.
Use regex101.com for testing. I noticed that your regex does not match because of the \s at the end.

nickhills · ‎03-13-2019

Try this regex: ^\w{3}\s\d+\s\d{2}:\d{2}:\d{2}\s\d+\.\d+\.\d+\.\d+\s\d
https://regex101.com/r/TwH2pp/1

If my comment helps, please give it a thumbs up!

sabaKhadivi · ‎03-16-2019

@nickhillscpl
tnx for your answer, I give the result with SEDCMD in props.conf

sabaKhadivi · ‎03-12-2019

@nickhillscpl

sabaKhadivi · ‎03-12-2019

Mar 12 14:52:42 x.x.x.x 1 2019-03-12T14:52:42Z x.x.x.x s1 ;

this is the header that I need to remove from Mar to 1 and this is my regex (x are octet of IP Add)

^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s([0-2]\d|3[0-1])\s[0-2]\d:[0-5]\d:[0-5]\d x.x.x.x\s1\s

whrg · ‎03-12-2019

The REGEX line does not show anything. Is this correct? If not, use the Code Sample formatting for displaying special characters.
You will need a proper regular expression.
It will help us if you post the log header (anonymized).

sabaKhadivi · ‎03-12-2019

@whrg Mar 12 13:44:04 10.10.10.5 1
this is the useless part of my log which I want to remove, I put regex of it infront of Regex =

nickhills · ‎03-12-2019

When you post code (or regex) use the code tool to make sure it’s is formatted/displayed.

The code tool is the icon which looks like 101010

If my comment helps, please give it a thumbs up!

How to remove header of a log?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes