<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Filter &amp;amp; Ingest Data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563830#M100424</link>
    <description>&lt;P&gt;Did you either restart the SHC/SH after making the changes?&lt;BR /&gt;&lt;BR /&gt;Or you can run the following in the search bar to get the same results:&lt;BR /&gt;&lt;BR /&gt;|rest /services/authentication/users splunk_server=local&lt;/P&gt;</description>
    <pubDate>Wed, 18 Aug 2021 18:52:47 GMT</pubDate>
    <dc:creator>codebuilder</dc:creator>
    <dc:date>2021-08-18T18:52:47Z</dc:date>
    <item>
      <title>Filter &amp; Ingest Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563674#M100403</link>
      <description>&lt;P&gt;Hi Experts,&lt;/P&gt;&lt;P&gt;I have specific requirement to split the contents of a file and ingest it as a separate events. In that events, a filter to be applied and ingest the filtered data to Splunk indexer.&lt;/P&gt;&lt;P&gt;I have created a REGEX pattern which split the contents of the file and ingesting the data in to separate events as desired. Now, my issue is with the filtering of ingested data. In each event, I need to filter fro AGGREGATED_EXECUTION and ingest only the event which has that content. I set the configuration as below.&lt;/P&gt;&lt;DIV&gt;&lt;P&gt;props.conf:&lt;BR /&gt;[expensive_statements]&lt;BR /&gt;TRANSFORMS-set= send_events&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;transforms.conf:&lt;BR /&gt;[send_events]&lt;BR /&gt;REGEX = AGGREGATED_EXECUTION&lt;BR /&gt;DEST_KEY = queue&lt;BR /&gt;FORMAT = indexQueue&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Above settings is made on HF. Still the filtering is not happening as expected. Kindly help in resolving the issue with filtering.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Regards, Karthikeyan.SV&lt;/P&gt;&lt;/DIV&gt;</description>
      <pubDate>Tue, 17 Aug 2021 15:22:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563674#M100403</guid>
      <dc:creator>Karthikeyan</dc:creator>
      <dc:date>2021-08-17T15:22:20Z</dc:date>
    </item>
    <item>
      <title>Re: Filter &amp; Ingest Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563830#M100424</link>
      <description>&lt;P&gt;Did you either restart the SHC/SH after making the changes?&lt;BR /&gt;&lt;BR /&gt;Or you can run the following in the search bar to get the same results:&lt;BR /&gt;&lt;BR /&gt;|rest /services/authentication/users splunk_server=local&lt;/P&gt;</description>
      <pubDate>Wed, 18 Aug 2021 18:52:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563830#M100424</guid>
      <dc:creator>codebuilder</dc:creator>
      <dc:date>2021-08-18T18:52:47Z</dc:date>
    </item>
    <item>
      <title>Re: Filter &amp; Ingest Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563953#M100442</link>
      <description>&lt;P&gt;I restarted SH after making the changes. Still the new props is not effected.&lt;/P&gt;</description>
      <pubDate>Thu, 19 Aug 2021 12:59:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563953#M100442</guid>
      <dc:creator>Karthikeyan</dc:creator>
      <dc:date>2021-08-19T12:59:32Z</dc:date>
    </item>
    <item>
      <title>Re: Filter &amp; Ingest Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563973#M100446</link>
      <description>&lt;P&gt;Instead of re-starting splunkd on the search head, try restarting the splunkd service on the Heavy Forwarder, where the changes have been made and then check if the results are effective.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If not, btool can tell if the configuration is really being loaded in the memory or not.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;P&gt;S&amp;nbsp;&lt;/P&gt;&lt;P&gt;****If it helped, please upvote and accept it as a solution. It helps others to find the solution more quickly in the future****&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 19 Aug 2021 16:13:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-amp-Ingest-Data/m-p/563973#M100446</guid>
      <dc:creator>shivanshu1593</dc:creator>
      <dc:date>2021-08-19T16:13:33Z</dc:date>
    </item>
  </channel>
</rss>

