Hello, i have logs with some event. I want see only my event. How i can remove another information. My event bigins at:"main: number of bytes received: 489" and finish at: "Send msg to queue *******" Could you help me in skype digilan007
6| set_buffer_mode: stderr is line-buffered
6| Opened txrout.out, Mar 27 at 09:38:00
6| #!# SVFE Ver. 2.2.7 build 20050624 #!#
6| =>COMMIT_WORK (db_login.pc)
0|
Task with ID = 11 is waiting for the message to arrive on the queue 34471943.
49395| main: number of bytes received: 63
49395| 09:41:18
49395| main: Found message format 1.00
49395| =>sv_msg2msgx_ent (tag_utils.c)
49395| =>svm_dprint (sv_message.c 10.4)
49395| svm_dprint: Message v1.00
umsgnum = 00000000 org_pid = 00000000
dest_pid = 00000000 timestamp_in = 1301204478
msg_size = 00000007 msgtype = 00000022
direction = 00000000 dev_proc_id = 00000000
org_dev_qid = 34471943 49395| BITS: 49395|
...................................................................................................
0| =>get_from_addldata (tag_utils.c)
0| get_from_addldata:Input dptr=0x0x600fffffffef6fc8 limit=0x0x600fffffffef6fc8
0| Tag 0xBD SVT_ACTION is not present in bpc_addldata
0| txn_needs_new_routing: return FALSE
0| =>COMMIT_WORK (db_login.pc)
As Kristian said in the comment, you probably want to redefine the way you want splunk to parse your events.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
Then once you isolated the pieces : delete the useless events (see nullQueue), or reformat them using (SEDCMD)
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles
Hi, your sample data does not correspond with the event delimiters you specify. (There is no line "Send message to queue..."). Also, this is the user forum, not an official support site - maybe someone will call you on skype, but you shouldn't count on it.
In general, it would probably be good to study the documentation sections for props.conf, more specifically around the parameters for breaking the incoming data stream into events (BREAK_ONLY_BEFORE... MUST_NOT_BREAK...), and possibly also the docs on anonymizing data, which could be a means for removing the unwanted lines.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Anonymizedatausingconfigurationfiles
/k
Which are all the information,you want to remove.Can u please be more specific on your query?