https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134265#M27593 <P>Setup those type of filters at the indexer level :<BR /> You can use a rule based on the sourcetype, and a matching regex based on the event.<BR /> You can test your regex on sample events with the "rex" command in splunk before to make sure.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> Wed, 16 Apr 2014 21:24:28 GMT yannK 2014-04-16T21:24:28Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134264#M27592 <P>Hi, </P> <P>I have spent last 2 hours searching for this simple scenario on Splunk Answers, without any luck.<BR /> Here is the case.</P> <UL> <LI>Splunk 6.0.2 (Trial version) </LI> <LI>OS : Windows 7, 64 Bit</LI> <LI>Data Input : A Log4J file on my local computer </LI> </UL> <P>Requirement : Just want to index events which contains the string "[ERROR ]", in my indexer.</P> <P>Any help will be greatly appreciated.</P> Wed, 16 Apr 2014 20:46:13 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134264#M27592 bahmed 2014-04-16T20:46:13Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134265#M27593 <P>Setup those type of filters at the indexer level :<BR /> You can use a rule based on the sourcetype, and a matching regex based on the event.<BR /> You can test your regex on sample events with the "rex" command in splunk before to make sure.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> Wed, 16 Apr 2014 21:24:28 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134265#M27593 yannK 2014-04-16T21:24:28Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134266#M27594 <P>Based on the article, I set the following files as shown, but still not getting the filtered log.</P> <H2>props.config</H2> <P>[MyVacationLog]<BR /> TRANSFORMS-set= myvacnull,myvacparsing</P> <H2>transforms.config</H2> <P>[myvacnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[myvacparsing]<BR /> REGEX = [ERROR]<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Tue, 22 Apr 2014 20:59:05 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134266#M27594 bahmed 2014-04-22T20:59:05Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134267#M27595 <P>1- [ and ] are regex keyword, you should escape them<BR /> <CODE>REGEX = \[ERROR\]</CODE></P> <P>2- make sure that those props/transforms are on the indexers (not on universal or lightweight forwarders only)</P> Tue, 22 Apr 2014 21:17:47 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134267#M27595 yannK 2014-04-22T21:17:47Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134268#M27596 <P>Thanks yannK. I have changed the regular expression as per your point 1. No change in the result.</P> <P>My props/transforms are in the following directory : C:\Program Files\Splunk\etc\system\local</P> <P>Does that makes them on indexers. </P> <P>Appreciate your help.</P> Wed, 23 Apr 2014 16:45:31 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134268#M27596 bahmed 2014-04-23T16:45:31Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134269#M27597 <P>This looked correct, What is the current behavior when you index new events :</P> <UL> <LI>all events are dropped the nullQueue (with or without the [ERROR] keyword)</LI> <LI>all events are indexed ?</LI> <LI>a mix of both ?</LI> </UL> <P>did you restarted the indexers to apply the change ?</P> Wed, 23 Apr 2014 19:00:36 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134269#M27597 yannK 2014-04-23T19:00:36Z https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134270#M27598 <P>For the new events, all of them are getting indexed including the one contains "Error".</P> <P>I have restarted the Splunk on my local machine.</P> Wed, 23 Apr 2014 21:05:46 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-data-out-from-Data-Input/m-p/134270#M27598 bahmed 2014-04-23T21:05:46Z