Is it safe to remove Time from _raw?
Can I remove the time stamp from Raw events and keep only the remaining message for raw?
Best Answer
-
Just a quick example, let's assume you have a timestamp in_raw that you want to remove from the event since you see a second timestamp already in the event like this:
IN:
A simple Mask function can include a regular expression like this:
\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s, that matches the first date in the event,Jun 9 16:17:49Add a Mask Function and to remove the matching timestamp, just use empty quotes in the Replace Expression.
OUT:
Notice that the output is colored indicating the event was altered. One final note, is that you might want to add an AutoTimestamp function just in case the timestamp is not accurate, in this case notice the timestamp shows as
11:14:49.000when it should be11:17:49.438, including the milliseconds.
Updated Event with Corrected Timestamp
1
Answers
-
Just a quick example, let's assume you have a timestamp in_raw that you want to remove from the event since you see a second timestamp already in the event like this:
IN:
A simple Mask function can include a regular expression like this:
\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s, that matches the first date in the event,Jun 9 16:17:49Add a Mask Function and to remove the matching timestamp, just use empty quotes in the Replace Expression.
OUT:
Notice that the output is colored indicating the event was altered. One final note, is that you might want to add an AutoTimestamp function just in case the timestamp is not accurate, in this case notice the timestamp shows as
11:14:49.000when it should be11:17:49.438, including the milliseconds.
Updated Event with Corrected Timestamp
1