0

Is there any way to have ANSI color output on my logs and also consume them in splunk?

either having splunk show the color (ideal but highly unlikely) or apply a filter on splunk to remove the escape sequences?

Improve this question
4
  • I see two question. Please separate them and provide examples from the colour logs you expect.
    – Romeo Ninov
    Commented Aug 12, 2022 at 5:13
  • Why do you need colouring, in splunk you separate the records in columns and they become very well defined and visible. Also colouring will in crease usage of your 24h license in splunk.
    – Romeo Ninov
    Commented Aug 12, 2022 at 5:17
  • 1
    What does your log file look like that it has "ANSI color output" in it?
    – warren
    Commented Aug 12, 2022 at 13:15
  • The log I already have is a very simple log. There's ANSI escape sequences around the level: DEBUG|WARN|ERROR. rest is plain text. Splunk shows [36;3DEBUG[38;8 not the end of the world, but i'd like to remove that if possible. have an enterprise account.
    – gabriel
    Commented Aug 12, 2022 at 19:16

1 Answer 1

Reset to default
1

It's pretty easy to remove unwanted text by using the SEDCMD attribute in props.conf. If the unwanted text can be described by a regular expression then it can be eliminated and the rest of the event retained.

Add this to the relevant props.conf file stanza:

SEDCMD-noColor = s/\[36;3DEBUG\[38;8//

If the digits are not fixed then the regex will have to be adjusted accordingly. Also, this regex does not account for the ESC character, if it's present in the data.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .