Is it safe to remove Time from _raw?

Tony Reinke - Cribl

Can I remove the time stamp from Raw events and keep only the remaining message for raw?

David Maislin

Just a quick example, let's assume you have a timestamp in_raw that you want to remove from the event since you see a second timestamp already in the event like this:

IN:

A simple Mask function can include a regular expression like this:

\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s, that matches the first date in the event, Jun 9 16:17:49

Add a Mask Function and to remove the matching timestamp, just use empty quotes in the Replace Expression.

OUT:

Notice that the output is colored indicating the event was altered. One final note, is that you might want to add an AutoTimestamp function just in case the timestamp is not accurate, in this case notice the timestamp shows as 11:14:49.000 when it should be 11:17:49.438, including the milliseconds.

Updated Event with Corrected Timestamp





David Maislin

Just a quick example, let's assume you have a timestamp in_raw that you want to remove from the event since you see a second timestamp already in the event like this:

IN:

A simple Mask function can include a regular expression like this:

\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s, that matches the first date in the event, Jun 9 16:17:49

Add a Mask Function and to remove the matching timestamp, just use empty quotes in the Replace Expression.

OUT:

Notice that the output is colored indicating the event was altered. One final note, is that you might want to add an AutoTimestamp function just in case the timestamp is not accurate, in this case notice the timestamp shows as 11:14:49.000 when it should be 11:17:49.438, including the milliseconds.

Updated Event with Corrected Timestamp