Is there any way to have ANSI color output on my logs and also consume them in splunk?
either having splunk show the color (ideal but highly unlikely) or apply a filter on splunk to remove the escape sequences?
It's pretty easy to remove unwanted text by using the SEDCMD
attribute in props.conf. If the unwanted text can be described by a regular expression then it can be eliminated and the rest of the event retained.
Add this to the relevant props.conf file stanza:
SEDCMD-noColor = s/\[36;3DEBUG\[38;8//
If the digits are not fixed then the regex will have to be adjusted accordingly. Also, this regex does not account for the ESC character, if it's present in the data.
[36;3DEBUG[38;8
not the end of the world, but i'd like to remove that if possible. have an enterprise account.