https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388785#M13382 <P>You would also need to ensure that the line with debug, "d" and the following line 1, 2 ... should be configured/treated as multi-line, so as to remove all of them together with nullQueue</P> Tue, 08 Jan 2019 13:14:40 GMT lakshman239 2019-01-08T13:14:40Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388782#M13379 <P>Hello,</P> <P>I would like to filter out the log entries (before indexing) which are created in the debugging mode. They can be identified by the letter "d" in my logfile:</P> <PRE><CODE>[293672]{-1}[-1/-1] 2019-01-08 11:24:29.210542 d PITRestart LogReplayCoordinator.cpp(02658) : replayStepFinished(), logPos=0x1d2e2bab65b8 Line 1 Line 2 Line N </CODE></PRE> <P>In the above there is a header line, which has always a similar structure and the 3 additional lines of the event. The header line includes always the pattern:</P> <PRE><CODE>11:24:29.210542 d </CODE></PRE> <P>where the letter can be "i" for info, "e" for error, "d" for debug, etc.<BR /> Now, I would like to filter out all the events (header line plus belonging lines) where the loglevel is "d".<BR /> How would I achieve this?</P> <P>On the example of the below:</P> <PRE><CODE>[259451]{-1}[-1/-1] 2019-01-08 11:24:29.213984 a STATS_CTRL Schedule.cpp(00106) : Enter void StatisticsService::ScheduleReloader::updateExecutionQueue(StatisticsService::ExecutionQueue&amp;) Arg this = 0x00007e382849b0a8 [293672]{-1}[-1/-1] 2019-01-08 11:24:29.210542 d PITRestart LogReplayCoordinator.cpp(02658) : replayStepFinished(), logPos=0x1d2e2bab65b8 Line 1 Line 2 Line N [265685]{242705}[1340/-1] 2019-01-08 11:24:29.144534 e StatementResourc StatementResourceTracking.cc(00217) : statistics collection is not finished: stmt=0x00007e8643473400, stmtid=1042411823155799 </CODE></PRE> <P>I would like to get rid of the second event and have only the following after indexing:</P> <PRE><CODE>[259451]{-1}[-1/-1] 2019-01-08 11:24:29.213984 a STATS_CTRL Schedule.cpp(00106) : Enter void StatisticsService::ScheduleReloader::updateExecutionQueue(StatisticsService::ExecutionQueue&amp;) Arg this = 0x00007e382849b0a8 [265685]{242705}[1340/-1] 2019-01-08 11:24:29.144534 e StatementResourc StatementResourceTracking.cc(00217) : statistics collection is not finished: stmt=0x00007e8643473400, stmtid=1042411823155799 </CODE></PRE> <P>Could you help me with the props.conf, transforms.conf and especially the corresponding REGEX for that?</P> <P>Kind Regards,<BR /> Kamil</P> Tue, 08 Jan 2019 12:29:40 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388782#M13379 damucka 2019-01-08T12:29:40Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388783#M13380 <P>Hi @damucka,</P> <P>Please try below config on Indexer/Heavy Forwarder whichever comes first from Universal Forwarder.</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] TRANSFORMS-eliminatedebug = setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX=(?m)\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\.\d{6}\sd DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> <P>EDIT: If <CODE>Line 1, Line 2 ... Line N</CODE> are events with Debug line then you can try below transforms.conf</P> <PRE><CODE>[setnull] REGEX=(?s)\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\.\d{6}\sd.*\n DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Tue, 08 Jan 2019 13:02:58 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388783#M13380 harsmarvania57 2019-01-08T13:02:58Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388784#M13381 <P>can we simply use "210542 d" <BR /> <CODE>REGEX=210542\sd</CODE> </P> Tue, 08 Jan 2019 13:11:39 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388784#M13381 inventsekar 2019-01-08T13:11:39Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388785#M13382 <P>You would also need to ensure that the line with debug, "d" and the following line 1, 2 ... should be configured/treated as multi-line, so as to remove all of them together with nullQueue</P> Tue, 08 Jan 2019 13:14:40 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388785#M13382 lakshman239 2019-01-08T13:14:40Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388786#M13383 <P>Hi @inventsekar,</P> <P>I guess datetime value which is provided is for sample only so <CODE>210542\sd</CODE> will not work because it is subsecond and every event will have different values for subsecond.</P> Tue, 08 Jan 2019 13:15:04 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388786#M13383 harsmarvania57 2019-01-08T13:15:04Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388787#M13384 <P>I am guessing that 1,2 ... those are same type of events and not multiline values.</P> Tue, 08 Jan 2019 13:16:30 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388787#M13384 harsmarvania57 2019-01-08T13:16:30Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388788#M13385 <P>At the moment we have 3 events there, each starting with the header line. Not sure about the multiline values ... I did nothing with the configuration, Splunk recognizes it itself. So, to make it clear - I would like to get rid of the second event.</P> Tue, 08 Jan 2019 13:30:07 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388788#M13385 damucka 2019-01-08T13:30:07Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388789#M13386 <P>I have provided 2 different regex for transforms.conf, you can try that and let us know if it will not work.</P> Tue, 08 Jan 2019 13:32:13 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388789#M13386 harsmarvania57 2019-01-08T13:32:13Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388790#M13387 <P>Thank you. I will test and let you know.<BR /> Is it possible to match several sourcetypes in props.conf to the same entry in transforms.conf? Like below:</P> <P>[yoursourcetype1]<BR /> TRANSFORMS-eliminatedebug = setnull</P> <P>[yoursourcetype2]<BR /> TRANSFORMS-eliminatedebug = setnull</P> <P>[yoursourcetype3]<BR /> TRANSFORMS-eliminatedebug = setnull</P> Tue, 08 Jan 2019 13:56:44 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388790#M13387 damucka 2019-01-08T13:56:44Z https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388791#M13388 <P>Yes you can</P> Tue, 08 Jan 2019 14:06:21 GMT https://community.splunk.com/t5/Security/Filter-out-event-before-indexing-using-REGEX/m-p/388791#M13388 harsmarvania57 2019-01-08T14:06:21Z