https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323089#M60169 <P>Hello all,</P> <P>I am trying to filter the data to be indexed however not success. Nothing is indexed.</P> <P>I have the below log file:</P> <PRE><CODE>&lt; 2017-12-06 16:25:44.569 Script: Session started. &lt; 2017-12-06 16:25:44.569 Executing user defined command on command session. &gt; 2017-12-06 16:25:44.569 [Shell] df -gt /amb/local/sap_sd ; echo "WinSCP: this is end-of-file:$?" &lt; 2017-12-06 16:25:44.569 Script: Filesystem GB blocks Used Free %Used Mounted on &lt; 2017-12-06 16:25:44.569 [Shell] Filesystem GB blocks Used Free %Used Mounted on &lt; 2017-12-06 16:25:44.569 Script: /dev/lvsapsd 9.00 5.21 3.79 58% /amb/local/sap_sd &lt; 2017-12-06 16:25:44.569 [Shell] /dev/lvsapsd 9.00 5.21 3.79 58% /amb/local/sap_sd &lt; 2017-12-06 16:25:44.569 [Shell] WinSCP: this is end-of-file:0 &gt; 2017-12-06 16:25:44.569 [Shell] pwd ; echo "WinSCP: this is end-of-file:$?" </CODE></PRE> <P>And i just would like to index the lines that containing the word "lvsapsd " (4th and 5th lines).</P> <P>I have configured my props.conf and transforms.conf as below:</P> <PRE><CODE>[sourcetype] TRANSFORMS-set= setnull,setparsing [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = .*(\blvsapsd\b).*/g DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Wed, 06 Dec 2017 19:45:55 GMT danillopavan 2017-12-06T19:45:55Z https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323089#M60169 <P>Hello all,</P> <P>I am trying to filter the data to be indexed however not success. Nothing is indexed.</P> <P>I have the below log file:</P> <PRE><CODE>&lt; 2017-12-06 16:25:44.569 Script: Session started. &lt; 2017-12-06 16:25:44.569 Executing user defined command on command session. &gt; 2017-12-06 16:25:44.569 [Shell] df -gt /amb/local/sap_sd ; echo "WinSCP: this is end-of-file:$?" &lt; 2017-12-06 16:25:44.569 Script: Filesystem GB blocks Used Free %Used Mounted on &lt; 2017-12-06 16:25:44.569 [Shell] Filesystem GB blocks Used Free %Used Mounted on &lt; 2017-12-06 16:25:44.569 Script: /dev/lvsapsd 9.00 5.21 3.79 58% /amb/local/sap_sd &lt; 2017-12-06 16:25:44.569 [Shell] /dev/lvsapsd 9.00 5.21 3.79 58% /amb/local/sap_sd &lt; 2017-12-06 16:25:44.569 [Shell] WinSCP: this is end-of-file:0 &gt; 2017-12-06 16:25:44.569 [Shell] pwd ; echo "WinSCP: this is end-of-file:$?" </CODE></PRE> <P>And i just would like to index the lines that containing the word "lvsapsd " (4th and 5th lines).</P> <P>I have configured my props.conf and transforms.conf as below:</P> <PRE><CODE>[sourcetype] TRANSFORMS-set= setnull,setparsing [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = .*(\blvsapsd\b).*/g DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Wed, 06 Dec 2017 19:45:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323089#M60169 danillopavan 2017-12-06T19:45:55Z https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323090#M60170 <P>Change your transforms.conf entry for setparsing with this (your don't have to match the whole line, specific keywords that can uniquely identify your events to keep will be sufficient)</P> <PRE><CODE>[setparsing] REGEX = lvsapsd DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Wed, 06 Dec 2017 20:07:25 GMT https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323090#M60170 somesoni2 2017-12-06T20:07:25Z https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323091#M60171 <P>Perfect!! Many thanks!!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 06 Dec 2017 20:19:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323091#M60171 danillopavan 2017-12-06T20:19:23Z https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323092#M60172 <P>Just another question...if I would like to include a phrase to be matched like "Script: Filesystem", how I can use in the regex expression?</P> <P>REGEX = "Script: Filesystem" ?</P> Sat, 09 Dec 2017 14:46:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-data-indexing/m-p/323092#M60172 danillopavan 2017-12-09T14:46:51Z