Can I remove the time stamp from Raw events and keep only the remaining message for raw?
Question
Is it safe to remove Time from _raw?
Just a quick example, let's assume you have a timestamp in_raw that you want to remove from the event since you see a second timestamp already in the event like this:
IN:
A simple Mask function can include a regular expression like this: \w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s, that matches the first date in the event, Jun 9 16:17:49
Add a Mask Function and to remove the matching timestamp, just use empty quotes in the Replace Expression.
OUT:
Notice that the output is colored indicating the event was altered. One final note, is that you might want to add an AutoTimestamp function just in case the timestamp is not accurate, in this case notice the timestamp shows as 11:14:49.000 when it should be 11:17:49.438, including the milliseconds.
Updated Event with Corrected Timestamp
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.