https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343643#M5351 <P>Hi</P> <P>We want to capture the logs which are coming with events and condition like "WARNING" OR "HIGH" OR "MEDIUM" OR "CRITICAL" and to filter out the logs which are coming with "INFORMATION" OR "VERBOSE" OR "MONITORABLE" OR "UNEXPECTED"</P> Mon, 12 Jun 2017 10:12:31 GMT anandhalagarasa 2017-06-12T10:12:31Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343643#M5351 <P>Hi</P> <P>We want to capture the logs which are coming with events and condition like "WARNING" OR "HIGH" OR "MEDIUM" OR "CRITICAL" and to filter out the logs which are coming with "INFORMATION" OR "VERBOSE" OR "MONITORABLE" OR "UNEXPECTED"</P> Mon, 12 Jun 2017 10:12:31 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343643#M5351 anandhalagarasa 2017-06-12T10:12:31Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343644#M5352 <P>Hi anandhalagarasan,</P> <P>give this a try.</P> <PRE><CODE>props.conf [yoursourcetpye] TRANSFORMS-yoursourcetype=eliminate transforms.conf [eliminate] REGEX=(?=Unexpected|Information|Verbose|Monitorable) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> <P>Let me know if it works!</P> Mon, 12 Jun 2017 12:27:43 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343644#M5352 horsefez 2017-06-12T12:27:43Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343645#M5353 <P>I have tried the same but the filtering is not working so kindly provide a solution for the same. </P> Tue, 13 Jun 2017 06:34:08 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343645#M5353 anandhalagarasa 2017-06-13T06:34:08Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343646#M5354 <P>All events are once again reaching Splunk so kindly check and update the same.</P> Tue, 13 Jun 2017 06:41:51 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343646#M5354 anandhalagarasa 2017-06-13T06:41:51Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343647#M5355 <P>Can anyone help on this query.</P> Tue, 13 Jun 2017 06:50:31 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343647#M5355 anandhalagarasa 2017-06-13T06:50:31Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343648#M5356 <P>I have to admit, that I was surprised my inital solution did not work as expected. <BR /> Regardless of that I found a working solution.</P> <PRE><CODE>props.conf [sharepoint] TRANSFORMS-null = setnull transforms.conf [setnull] REGEX = (?=Unexpected|Information|Verbose|Monitorable) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This should work for you as well.<BR /> Here is a link to helpful documentation about it:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> Fri, 16 Jun 2017 16:12:02 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343648#M5356 horsefez 2017-06-16T16:12:02Z https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343649#M5357 <P>Thanks its working fine.</P> Wed, 21 Jun 2017 09:41:16 GMT https://community.splunk.com/t5/Splunk-Dev/Using-Regex-We-need-to-Capture-Few-Events-with-Conditions-High/m-p/343649#M5357 anandhalagarasa 2017-06-21T09:41:16Z