how to discard lines of an event, not the entire e...

alexl1 · ‎05-20-2013

hello,

I am trying nullQueue but I think it discards the entire event, is there a syntax that just discards lines but keeps the rest of the event? This is for a multiline event. Thanks,

hexx · ‎05-20-2013

No, if you really want to discard part of an event you're going to need to use a SEDCMD directive in props.conf:

SEDCMD-<name> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit card or social
  security numbers. For more information, search the online documentation for "anonymize
  data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the following subset of
  sed commands is supported:
        * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
            * regex is a perl regular expression (optionally containing capturing groups).
            * replacement is a string to replace the regex match. Use \n for backreferences,
              where "n" is a single digit.
            * flags can be either: g to replace all matches, or a number to replace a specified
              match.
    * substitute - y/string1/string2/
            * substitutes the string1[i] with string2[i]

hexx · ‎05-20-2013

Try:

[my_sourcetype]
SEDCMD-null = s/^Status_.*$//

alexl1 · ‎05-20-2013

does this look right, it's not deleting the lines yet

[my_sourcetype]
SEDCMD-null = s/^Status_[^$]*$//

how to discard lines of an event, not the entire event

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...