https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224613#M43961 <P>It is not performing as expected. Here is what we are trying to accomplish. The log file is a csv and we need to filter out all the events / data that is under 1400 bytes which is found in field 31.</P> <P>Sample log:</P> <PRE><CODE>2016/02/25 19:14:20,010401000240,TRAFFIC,start,1,2016/02/25 19:14:20,0.1.2.3,4.5.6.7,8.9.10.11,12.13.14.15,Outbound Services,,,dns,vsys1,TRUST,UNTRUST,ethernet1/18.80,ethernet1/17.1000,All Syslog Servers -Includes VZ,2016/02/25 19:14:20,133312,1,63869,53,60901,53,0x400000,udp,allow,96,96,0,1,2016/02/25 19:14:21,0,any,0,13810046794,0x0,255.255.0.0-255.255.255.255,US,0,1,0,n/a </CODE></PRE> <P>The current configuration is:</P> <P>props.conf</P> <PRE><CODE>[source::///var/log/proxy/paloalto/palo.log] TRANSFORMS-null = setnull,setnullindex </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = ^(?:[^,]*?,){31}(\d{1,3}|1[0-3]\d{2}|1400) DEST_KEY = queue FORMAT = nullQueue [setnullindex] SOURCE_KEY = _MetaData:Index REGEX = plvpalo DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 29 Feb 2016 20:23:42 GMT babcolee 2016-02-29T20:23:42Z https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224609#M43957 <P>We have a condition where we need to filter out data based on the byte count in the log. We have collapsed the source and sourcetype names coming from different servers and we need to be specific based on the index name.</P> <P>Instead of:<BR /> props.conf</P> <PRE><CODE>[source::///var/log/paloalto/palo.log] TRANSFORMS-null = setnull </CODE></PRE> <P>Can we use for the props.conf configuration:</P> <PRE><CODE>[index::plvpalo] TRANSFORMS-null = setnull </CODE></PRE> <P>Or</P> <PRE><CODE>[source::///var/log/paloalto/palo.log] index = plvpalo TRANSFORMS-null = setnull </CODE></PRE> Mon, 29 Feb 2016 16:31:38 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224609#M43957 babcolee 2016-02-29T16:31:38Z https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224610#M43958 <P>I would say No, you can filter logs based on Index name in the way you can use source/sourcetype/host to filter logs, but you can filter out data for a source/sourcetype/host based on the index name. Try something like this</P> <P>props.conf</P> <PRE><CODE>[source::///var/log/paloalto/palo.log] TRANSFORMS-null = setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] SOURCE_KEY = _MetaData:Index REGEX = plvpalo DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 29 Feb 2016 16:48:27 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224610#M43958 somesoni2 2016-02-29T16:48:27Z https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224611#M43959 <P>I am already using a REGEX statement in the transforms.conf file to filter out any less than 1400 bytes. Would the transforms.conf work as follows:</P> <PRE><CODE>[setnull] SOURCE_KEY = _MetaData:Index REGEX = plvpalo REGEX = ^(?:[^,]*?,){31}(\d{1,3}|1[0-3]\d{2}|1400), DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 29 Feb 2016 17:46:46 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224611#M43959 babcolee 2016-02-29T17:46:46Z https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224612#M43960 <P>The above one will not work as the byte size was been check from <CODE>SOURCE_KEY=_raw</CODE> (default) and index name will be checked from <CODE>SOURCE_KEY = _MetaData:Index</CODE>. You can create two transforms.conf stanzas and call them both.</P> <P>props.conf</P> <PRE><CODE> [source::///var/log/paloalto/palo.log] TRANSFORMS-null = setnull,setnullindex </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] ..keep the current setting that you have... [setnullindex] SOURCE_KEY = _MetaData:Index REGEX = plvpalo DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 29 Feb 2016 18:04:45 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224612#M43960 somesoni2 2016-02-29T18:04:45Z https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224613#M43961 <P>It is not performing as expected. Here is what we are trying to accomplish. The log file is a csv and we need to filter out all the events / data that is under 1400 bytes which is found in field 31.</P> <P>Sample log:</P> <PRE><CODE>2016/02/25 19:14:20,010401000240,TRAFFIC,start,1,2016/02/25 19:14:20,0.1.2.3,4.5.6.7,8.9.10.11,12.13.14.15,Outbound Services,,,dns,vsys1,TRUST,UNTRUST,ethernet1/18.80,ethernet1/17.1000,All Syslog Servers -Includes VZ,2016/02/25 19:14:20,133312,1,63869,53,60901,53,0x400000,udp,allow,96,96,0,1,2016/02/25 19:14:21,0,any,0,13810046794,0x0,255.255.0.0-255.255.255.255,US,0,1,0,n/a </CODE></PRE> <P>The current configuration is:</P> <P>props.conf</P> <PRE><CODE>[source::///var/log/proxy/paloalto/palo.log] TRANSFORMS-null = setnull,setnullindex </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = ^(?:[^,]*?,){31}(\d{1,3}|1[0-3]\d{2}|1400) DEST_KEY = queue FORMAT = nullQueue [setnullindex] SOURCE_KEY = _MetaData:Index REGEX = plvpalo DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 29 Feb 2016 20:23:42 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Splunk-do-filtering-based-on-the-index-name-rather-than/m-p/224613#M43961 babcolee 2016-02-29T20:23:42Z