topic Re: Heavy Forwarder, Syslog filter in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-Syslog-filter/m-p/78472#M16063 <P>here is your answer : Keep specific events and discard the rest</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>Here is an example, please time the regex to your events.<BR /> In props.conf, set the TRANSFORMS rule for any syslog soucretype<BR /> <CODE><BR /> [syslog]<BR /> TRANSFORMS-filtersyslog= setnull,keeponlyloginlogout<BR /> </CODE><BR /> Create a corresponding stanza in transforms.conf.<BR /> `<BR /> [setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[keeponlyloginlogout]<BR /> REGEX = (login|logout)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue<BR /> `</P> Wed, 03 Oct 2012 16:39:25 GMT yannK 2012-10-03T16:39:25Z Heavy Forwarder, Syslog filter https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-Syslog-filter/m-p/78471#M16062 <P>Hi all,</P> <P>How can I create a filter that sends just Syslog login and logout events? I have a Syslog on different machines that send syslog events to each their own forwarders and then come to indexer. How can I create a filter that has as sourcetype syslog?</P> <P>thanks in advance,<BR /> Best regards.</P> Wed, 03 Oct 2012 16:03:19 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-Syslog-filter/m-p/78471#M16062 benedetto 2012-10-03T16:03:19Z Re: Heavy Forwarder, Syslog filter https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-Syslog-filter/m-p/78472#M16063 <P>here is your answer : Keep specific events and discard the rest</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>Here is an example, please time the regex to your events.<BR /> In props.conf, set the TRANSFORMS rule for any syslog soucretype<BR /> <CODE><BR /> [syslog]<BR /> TRANSFORMS-filtersyslog= setnull,keeponlyloginlogout<BR /> </CODE><BR /> Create a corresponding stanza in transforms.conf.<BR /> `<BR /> [setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[keeponlyloginlogout]<BR /> REGEX = (login|logout)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue<BR /> `</P> Wed, 03 Oct 2012 16:39:25 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-Syslog-filter/m-p/78472#M16063 yannK 2012-10-03T16:39:25Z