We are getting speacial characters in splunk raw message which is impacting downstream parsing. Can you suggest ways to remove it?
What do you mean by special characters? The <
and >
? These are usually sent by a syslog sending device. If it's always at the start of a message, you could easily either cut it by using regex in transforms and rewrite to _raw or use sedcmd to get rid off it.
Both options are covered here on Answers quite a few times.
Skalli