https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65822#M13209 <P>Hi,</P> <P>one approach could be the following: Create a file named filter.txt which contains all your filter strings. Next, define a new data input &gt; file, for that file. Here, each line consists of a filter string:</P> <P><CODE>foo<BR /> bar</CODE><BR /> (make sure the whole file is beeing monitored as one event)</P> <P>After this you could use <CODE>join()</CODE> to filter. E.g. like this:</P> <P><CODE>index="your_source_index" | join your_filter_field [search index="your_metaData_index" | head 1 | rex max_match=0 "(?&lt;your_filter_field&gt;.+)" | mvexpand your_filter_field | table your_filter_field]</CODE></P> <P>I am also quite certain <CODE>inputlookup</CODE> will work. It does. You have to add a new lookup file and lookup. Moreover you have to update that lookup file on your server in some way. A search could look like this:</P> <P><CODE>index="your_source_index" | join your_filter_field [ inputlookup your_lookup | rename csv_header AS your_filter_field]</CODE></P> <P>Latter solution has the back draw of getting access to the lookup file.</P> Tue, 19 Mar 2013 14:31:51 GMT bjoernjensen 2013-03-19T14:31:51Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65821#M13208 <P>I need to filter events when they contain an id from a defined set.</P> <P>I know that Heavy Forwarders can filter events based on a regex, but since my list of identifiers changes each day I will need to frequently update the configuration file containing the regex and then restart the forwarder to pick up the change. </P> <P>Is there a more dynamic way to filter events or is using a regex the only option? </P> Tue, 19 Mar 2013 11:04:40 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65821#M13208 justjosh 2013-03-19T11:04:40Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65822#M13209 <P>Hi,</P> <P>one approach could be the following: Create a file named filter.txt which contains all your filter strings. Next, define a new data input &gt; file, for that file. Here, each line consists of a filter string:</P> <P><CODE>foo<BR /> bar</CODE><BR /> (make sure the whole file is beeing monitored as one event)</P> <P>After this you could use <CODE>join()</CODE> to filter. E.g. like this:</P> <P><CODE>index="your_source_index" | join your_filter_field [search index="your_metaData_index" | head 1 | rex max_match=0 "(?&lt;your_filter_field&gt;.+)" | mvexpand your_filter_field | table your_filter_field]</CODE></P> <P>I am also quite certain <CODE>inputlookup</CODE> will work. It does. You have to add a new lookup file and lookup. Moreover you have to update that lookup file on your server in some way. A search could look like this:</P> <P><CODE>index="your_source_index" | join your_filter_field [ inputlookup your_lookup | rename csv_header AS your_filter_field]</CODE></P> <P>Latter solution has the back draw of getting access to the lookup file.</P> Tue, 19 Mar 2013 14:31:51 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65822#M13209 bjoernjensen 2013-03-19T14:31:51Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65823#M13210 <P>Thanks for the suggestion - however this is applying filtering at search time. For performance reasons I need to filter out events so they are not sent to the index.</P> Tue, 19 Mar 2013 17:53:45 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65823#M13210 justjosh 2013-03-19T17:53:45Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65824#M13211 <P>I see.</P> <P>One little note: You can enable configurations changes made to transforms.conf by typing the following search in Splunk Web: "| extract reload=t"<BR /> (source: documentation of transform.conf).</P> <P>Since you are writing:<BR /> "(...) then restart the forwarder to pick up the change."</P> Wed, 20 Mar 2013 08:01:04 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-possible-to-filter-dynamically/m-p/65824#M13211 bjoernjensen 2013-03-20T08:01:04Z