topic Re: Custom Filters in Getting Data In

Custom Filters

didier_again — Tue, 04 Dec 2012 10:53:51 GMT

I'm using the Unversal Forwarder to 'monitor' log files on the clients but I just can't index everything forwarded, there's too much data.

I know I can use REGEX to filter the data before it's indexed using the nullQueue example in the DOC. That's fine, it's working.

My problem is that filtering by REGEX is not flexible enough for what I need. Ideally I'd like to plug in a script (python or other) to only let some of the data reach the Indexer.

Is that possible at all? Or am I chasing a dead-end?

Regards,
Didier,

Re: Custom Filters

Ayn — Tue, 04 Dec 2012 11:00:09 GMT

It is not possible to filter using anything other than regular expressions at index time.

One possible way to achieve this is to replace your file monitor input with a scripted input, and then implement all your filtering logic in the script you write for reading the input data.

Re: Custom Filters

didier_again — Tue, 04 Dec 2012 11:05:10 GMT

That should do. Thank you.

Re: Custom Filters

DUThibault — Mon, 23 Apr 2018 15:04:24 GMT

(Late comment) Depending on what you're trying to do, you could also use SEDCMD in props.conf to throw away the parts of the events that you don't want indexed.