https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/520085#M3463 <P>props.conf</P><LI-CODE lang="markup">[mx_java_event] TRANSFORMS-set = setnull, setparsing</LI-CODE><P>transforms.conf&nbsp;</P><P>NOTE:&nbsp; if event contains "Session initialization" OR "Session initialized" anywhere then the event will be indexed others are ignored.</P><LI-CODE lang="markup">[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (Session initialization|Session initialized) DEST_KEY = queue FORMAT = indexQueue</LI-CODE><P>&nbsp;below is output from your sample events:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filter-events.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10869iF012BE421C1589B2/image-size/large?v=v2&amp;px=999" role="button" title="filter-events.png" alt="filter-events.png" /></span></P> Thu, 17 Sep 2020 08:53:40 GMT thambisetty 2020-09-17T08:53:40Z https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/519961#M3452 <P>Hello,</P><P>In particular sourcetype we are getting huge numbers of events but only some data events are relevant. I am try to take only events with matching string and exclude everything else.</P><P>Matching strings :&nbsp; Session initialization | Session initialized&nbsp; &nbsp;(There are few more as well)&nbsp; &nbsp;</P><P><BR />I have tried this by refereing this post&nbsp;<A href="https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9213/thread-id/18" target="_self">Link</A>&nbsp;<BR /><BR />When I am using this its excluding everyting and when i tried only with setparsing its injesting all data. Not sure what I am missing here.<BR /><BR />props.conf</P><P>[mx_java_event]<BR />DATETIME_CONFIG =<BR />LINE_BREAKER = ([\r\n]+)<BR />NO_BINARY_CHECK = true<BR />category = Custom<BR />pulldown_type = true<BR />EXTRACT-JavaClass = ,\d+\s\[(?&lt;JavaClass&gt;[^:]*):<BR />EXTRACT-Session = session:(?&lt;Session&gt;\d+)<BR /><STRONG>TRANSFORMS-set = setnull, setparsing<BR /><BR />transforms.conf</STRONG></P><P>[setnull]<BR />REGEX = .<BR />DEST_KEY = queue<BR />FORMAT = nullQueue</P><P>[setparsing]<BR />REGEX = Session initialization | Session initialized<BR />DEST_KEY = queue<BR />FORMAT = indexQueue</P><P>FYI : In case REGEX is incorrect, I tried with "REGEX = Session"&nbsp; its not working either.</P><P>&nbsp;</P><P>&nbsp;</P><P>Sample data: (Only 1st and 3rd line are matching)<BR /><BR />2020-08-12 14:08:11,775 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Session initialization - SGITOPS/SG_LAW_MRC<BR />2020-08-12 14:08:12,775 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Excluded - SGITOPS/SG_LAW_MRC<BR />2020-08-12 14:08:11,912 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Session initialized<BR />2020-08-12 14:08:12,912 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Session Excluded2<BR />2020-08-12 14:08:12,912 JUST FOR Testing</P> Wed, 16 Sep 2020 16:17:19 GMT https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/519961#M3452 AKG1_old1 2020-09-16T16:17:19Z https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/519975#M3453 <P>Provide sample events to test regex.</P> Wed, 16 Sep 2020 16:12:42 GMT https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/519975#M3453 thambisetty 2020-09-16T16:12:42Z https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/519976#M3454 <P>added sample data</P> Wed, 16 Sep 2020 16:18:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/519976#M3454 AKG1_old1 2020-09-16T16:18:11Z https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/520085#M3463 <P>props.conf</P><LI-CODE lang="markup">[mx_java_event] TRANSFORMS-set = setnull, setparsing</LI-CODE><P>transforms.conf&nbsp;</P><P>NOTE:&nbsp; if event contains "Session initialization" OR "Session initialized" anywhere then the event will be indexed others are ignored.</P><LI-CODE lang="markup">[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (Session initialization|Session initialized) DEST_KEY = queue FORMAT = indexQueue</LI-CODE><P>&nbsp;below is output from your sample events:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filter-events.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10869iF012BE421C1589B2/image-size/large?v=v2&amp;px=999" role="button" title="filter-events.png" alt="filter-events.png" /></span></P> Thu, 17 Sep 2020 08:53:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Index-only-events-matching-with-pattern-and-exclude-everyting/m-p/520085#M3463 thambisetty 2020-09-17T08:53:40Z