Hi,
My timestamps come to SPLUNK within raw data like t=1035445567757 (UNIX timestamp). At indexing time, I tell in props.conf
TIME_PREFIX = t=
great, timestamp is taken as metadata, now I don't need it in raw data, since it takes significant amount of volume (comparing to the rest of raw data) and I can definetely improve overall performance if I can cut off this field at index time. However I could not find a way to achieve that: using SEDCMD will cut the field, but then timestamp assigment does not work. Is there a way to revert the order: first do TIME_PREFIX and then do SEDCMD-clean?
Thanks Andrei