https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90495#M18773 <P>You should probably read the following for guidance on how to skip indexing of some events.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest" target="_blank">http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>In props.conf: </P> <PRE><CODE>[your_sourcetype] TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P>In transforms.conf: </P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = some_string DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>You'll have to replace 'some_sting' with a something that distinguishes the lines you want to keep, e.g. in your example "<CODE>phase</CODE>" or "<CODE>curr_date</CODE>" occur in the events you want to keep.</P> <P>When these transforms are called from props.conf, the order is important; first ALL events are set to be thrown away (setnull), then followed by the second transform (setparsing) that re-set the destination for the matching events from the <CODE>nullQueue</CODE> back to the <CODE>indexQueue</CODE>.</P> <P>Hope this helps,</P> <P>Kristian</P> Mon, 28 Sep 2020 13:42:55 GMT kristian_kolb 2020-09-28T13:42:55Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90494#M18772 <P>We have a custom application <BR /> log file which looks something like below, this file is not getting indexed with the 1st 4 lines in it.<BR /> These logs are generated for a number of similar programs the entries in "XXXXs..." will vary based on this</P> <P>=============================================================================================================================================================================================</P> <P>Application XXXXX XXXXX - YYYY BC and XX XXXXXX XXXXXX XXXXXX XX (XXX XX)<BR /><BR /> Application ---------------------------------------------------------------<BR /><BR /> Application XXXXX XXXXX - YYYY BC and XX XXXXXX XXXXXX XXXXXX XX (XXX XX)<BR /><BR /> Application ---------------------------------------------------------------<BR /><BR /> Application prg="XXXXX XXXXX- Receipt Creation Program" phase=Running status=Normal start_date="09-APR-2013 17:01:02" end_date="N/A" requestid=37541696 curr_time="09-APR-2013 17:15:13"<BR /><BR /> Application prg="XXXXX XXXXX- Receipt Creation Program" phase=Running status=Normal start_date="09-APR-2013 17:01:03" end_date="N/A" requestid=37541697 curr_time="09-APR-2013 17:15:13" </P> <P>==============================================================================================================================================================================================</P> <P>Same file (below) with the discarded lines works fine. </P> <P>==============================================================================================================================================================================================</P> <P>Application prg="XXXXX XXXXXX - Receipt Creation Program" phase=Running status=Normal start_date="09-APR-2013 17:01:02" end_date="N/A" requestid=37541696 curr_time="09-APR-2013 17:15:13"<BR /><BR /> Application prg="XXXXX XXXXXX- Receipt Creation Program" phase=Running status=Normal start_date="09-APR-2013 17:01:03" end_date="N/A" requestid=37541697 curr_time="09-APR-2013 17:15:13" </P> <P>===============================================================================================================================================================================================</P> <P>Is it possible to ignore or omit the 4 lines for the file to be indexed since it is not going to be possible to remove the entries from the applciation side to remove these lines.<BR /> Thanks</P> Mon, 28 Sep 2020 13:42:52 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90494#M18772 yogonline 2020-09-28T13:42:52Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90495#M18773 <P>You should probably read the following for guidance on how to skip indexing of some events.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest" target="_blank">http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>In props.conf: </P> <PRE><CODE>[your_sourcetype] TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P>In transforms.conf: </P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = some_string DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>You'll have to replace 'some_sting' with a something that distinguishes the lines you want to keep, e.g. in your example "<CODE>phase</CODE>" or "<CODE>curr_date</CODE>" occur in the events you want to keep.</P> <P>When these transforms are called from props.conf, the order is important; first ALL events are set to be thrown away (setnull), then followed by the second transform (setparsing) that re-set the destination for the matching events from the <CODE>nullQueue</CODE> back to the <CODE>indexQueue</CODE>.</P> <P>Hope this helps,</P> <P>Kristian</P> Mon, 28 Sep 2020 13:42:55 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90495#M18773 kristian_kolb 2020-09-28T13:42:55Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90496#M18774 <P>If I read your question correct, your file is not indexed.<BR /> Am I right in assuming, that the start of the file is identical with other files for the first 256 bytes?<BR /><BR /> You might see some lines in splunkd.log that looks like this: "File will not be read, is too small to match seekptr checksum" I use the following search: </P> <P>index=_internal source=*splunkd.log "File will not be read, is too small to match seekptr checksum" component="TailingProcessor" | dedup host file | table _time host file | sort host </P> <P>Try to look at initCrcLength in inputs.conf, this option came in 5.0.1</P> Thu, 11 Apr 2013 12:06:19 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90496#M18774 las 2013-04-11T12:06:19Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90497#M18775 <P>Oh..reading your answer, I think you understood better what the problem may be.</P> Sat, 13 Apr 2013 01:39:00 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-not-getting-indexed/m-p/90497#M18775 kristian_kolb 2013-04-13T01:39:00Z