https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133906#M27520 <P>Give this a try</P> <PRE><CODE>transforms.conf (on INDEXER) [eliminate-debug] REGEX=(?m)-\s*DEBUG\s*- DEST_KEY=queue FORMAT=nullQueue props.conf (on INDEXER) [sourcetype::mySourceType] TRANSFORMS-trash = eliminate-debug </CODE></PRE> <P>Restart/reload the Indexer after change.</P> Mon, 09 Feb 2015 21:59:22 GMT somesoni2 2015-02-09T21:59:22Z https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133904#M27518 <P>Hi,</P> <P>I have a multi line flat file where I want to ignore/drop specifc events. I'm using the Universial Forwarder, so as I understand it, the indexer needs to drop/ignore the event. Below is my props.conf on the indexer. I want to drop/ignore any event that is not an ERROR. I tried the PREAMBLE_REGEX property setting a NOT regex and one explicitly looking for DEBUG. Neither are working. </P> <P>Sample event to ignore:<BR /> 02/09/2015 11:37:54,807 - DEBUG - <A href="https://Blah">https://Blah</A></P> <PRE><CODE>[Alerts] BREAK_ONLY_BEFORE_DATE = TRUE SHOULD_LINEMERGE = TRUE TIME_FORMAT=%m/%d/%Y %T TRUNCATE = 0 MAX_DAYS_AGO = 2 PREAMBLE_REGEX =^((?!\d\d.\d\d.\d\d\d\d\s\d\d:\d\d:\d\d\,\d+\s\-\sERROR).)* PREAMBLE_REGEX=^\d\d.\d\d.\d\d\d\d\s\d\d:\d\d:\d\d\,\d+\s\-\sDEBUG </CODE></PRE> <P>Any suggestions? </P> <P>Thank you!</P> <P>Chris</P> Mon, 09 Feb 2015 18:03:28 GMT https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133904#M27518 chrisboy68 2015-02-09T18:03:28Z https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133905#M27519 <P>Ok, found examples of using transforms.conf, but its still not working. Below is my transforms.conf. I want to drop DEBUG statements and INFOs and other stuff. Only keep ERRORS</P> <P>Sample Error:<BR /> 02/09/2015 16:25:54,220 - ERROR - ECommerceBlah <BR /> in transforms.conf</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = ERROR DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>In props.conf</P> <PRE><CODE>[sourcetype::mySourceType] TRANSFORMS-trash = setnull,setparsing </CODE></PRE> <P>Any ideas?</P> <P>Thank you,</P> <P>Chris</P> Mon, 09 Feb 2015 20:39:19 GMT https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133905#M27519 chrisboy68 2015-02-09T20:39:19Z https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133906#M27520 <P>Give this a try</P> <PRE><CODE>transforms.conf (on INDEXER) [eliminate-debug] REGEX=(?m)-\s*DEBUG\s*- DEST_KEY=queue FORMAT=nullQueue props.conf (on INDEXER) [sourcetype::mySourceType] TRANSFORMS-trash = eliminate-debug </CODE></PRE> <P>Restart/reload the Indexer after change.</P> Mon, 09 Feb 2015 21:59:22 GMT https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133906#M27520 somesoni2 2015-02-09T21:59:22Z https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133907#M27521 <P>Ugh, this is baffling. Nothing is working. I placed splunkd in debug mod and didnt see anything in the errors. Is there a way to debug if the "transforms" are being hit?</P> <P>Tx</P> <P>Chris</P> Tue, 10 Feb 2015 15:02:37 GMT https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133907#M27521 chrisboy68 2015-02-10T15:02:37Z https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133908#M27522 <P>Output of ./splunk cmd btool transforms list below. So it looks like the transforms are loading. Just cant figure out why they it is not working..</P> <P>[eliminate-debug]<BR /> CAN_OPTIMIZE = True<BR /> CLEAN_KEYS = True<BR /> DEFAULT_VALUE = <BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> KEEP_EMPTY_VALS = False<BR /> LOOKAHEAD = 4096<BR /> MV_ADD = False<BR /> REGEX = (?m)-\s*DEBUG\s*-<BR /> SOURCE_KEY = _raw<BR /> WRITE_META = False</P> Mon, 28 Sep 2020 18:52:59 GMT https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133908#M27522 chrisboy68 2020-09-28T18:52:59Z https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133909#M27523 <P>Ah, so [sourcetype::mySourceType] is not correct. I found I just needed [mySourceType] in the props.config, now its working.</P> <P>Chris</P> Thu, 12 Feb 2015 15:25:36 GMT https://community.splunk.com/t5/Getting-Data-In/MultiLine-Event-How-to-Ignore-Drop-Specific-Events/m-p/133909#M27523 chrisboy68 2015-02-12T15:25:36Z