Is there any way to have ANSI color output on my logs and also consume them in splunk?
either having splunk show the color (ideal but highly unlikely) or apply a filter on splunk to remove the escape sequences?
Asked
Active
Viewed 313 times
0
-
I see two question. Please separate them and provide examples from the colour logs you expect. – Romeo Ninov Aug 12 '22 at 05:13
-
Why do you need colouring, in splunk you separate the records in columns and they become very well defined and visible. Also colouring will in crease usage of your 24h license in splunk. – Romeo Ninov Aug 12 '22 at 05:17
-
1What does your log file look like that it has "ANSI color output" in it? – warren Aug 12 '22 at 13:15
-
The log I already have is a very simple log. There's ANSI escape sequences around the level: DEBUG|WARN|ERROR. rest is plain text. Splunk shows `[36;3DEBUG[38;8` not the end of the world, but i'd like to remove that if possible. have an enterprise account. – gabriel Aug 12 '22 at 19:16
1 Answers
1
It's pretty easy to remove unwanted text by using the SEDCMD attribute in props.conf. If the unwanted text can be described by a regular expression then it can be eliminated and the rest of the event retained.
Add this to the relevant props.conf file stanza:
SEDCMD-noColor = s/\[36;3DEBUG\[38;8//
If the digits are not fixed then the regex will have to be adjusted accordingly. Also, this regex does not account for the ESC character, if it's present in the data.
RichG
- 143
- 6