<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Filter Events before Indexing in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436677#M76180</link>
    <description>&lt;P&gt;I guess you are missing the escape characters for the square brackets here ...&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; (alertd\[\d{1,6}\]\:\s\w{3}\:)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, you should make sure, every event will go through both transforms, so maybe modify your props like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; [source::C:\Users\test\testsource.log]
 TRANSFORMS-set1 = setnull
 TRANSFORMS-set2 = setparsing
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Another option would be to use only a setnull transform, and make sure the regex from the setparsing does &lt;STRONG&gt;NOT&lt;/STRONG&gt; match. This would be like so:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; ^((?!(alertd\[\d{1,6}\]\:\s\w{3}\:)).)*$
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Wed, 30 Jan 2019 12:47:47 GMT</pubDate>
    <dc:creator>DMohn</dc:creator>
    <dc:date>2019-01-30T12:47:47Z</dc:date>
    <item>
      <title>Filter Events before Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436675#M76178</link>
      <description>&lt;P&gt;I get events from a universal forwarder. If "alertd[123456]: ABC:" be in the event, i would like to index it. All other events can be ignored.&lt;/P&gt;

&lt;P&gt;Do you have a solution? &lt;/P&gt;

&lt;P&gt;2019-01-23T14:22:45+01:00 host kernel: [123456.789101] ll header: yf:ff:ff:ef:ff:ff:00:00:00:00:88:05:01:00&lt;BR /&gt;
2019-01-23T14:22:49+01:00 host alertd[456789]: get_db_c(): ......&lt;BR /&gt;
2019-01-23T14:22:50+01:00 host alertd[123456]: CEF:0|abcdef|host|....&lt;BR /&gt;
2019-01-23T14:22:59+01:00 host alertd[456789]: abc_send(): ......&lt;/P&gt;

&lt;P&gt;I have tried the following configuration on the Indexer, but it didn't work: &lt;/P&gt;

&lt;P&gt;props.conf&lt;BR /&gt;
[source::C:\Users\test\testsource.log]&lt;BR /&gt;
TRANSFORMS-set = setnull,setparsing&lt;/P&gt;

&lt;P&gt;transforms.conf&lt;BR /&gt;
[setnull]&lt;BR /&gt;
REGEX = .&lt;BR /&gt;
DEST_KEY = queue&lt;BR /&gt;
FORMAT = nullQueue&lt;/P&gt;

&lt;P&gt;[setparsing]&lt;BR /&gt;
REGEX = (alertd[\d{1,6}]:\s\w{3}:)&lt;BR /&gt;
DEST_KEY = queue&lt;BR /&gt;
FORMAT = indexQueue&lt;/P&gt;

&lt;P&gt;Thanks for your solutions.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 23:00:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436675#M76178</guid>
      <dc:creator>mh0712</dc:creator>
      <dc:date>2020-09-29T23:00:39Z</dc:date>
    </item>
    <item>
      <title>Re: Filter Events before Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436676#M76179</link>
      <description>&lt;P&gt;Have you tried &lt;CODE&gt;TRANSFORMS-set = setparsing,setnull&lt;/CODE&gt;?&lt;/P&gt;</description>
      <pubDate>Wed, 30 Jan 2019 12:46:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436676#M76179</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2019-01-30T12:46:03Z</dc:date>
    </item>
    <item>
      <title>Re: Filter Events before Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436677#M76180</link>
      <description>&lt;P&gt;I guess you are missing the escape characters for the square brackets here ...&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; (alertd\[\d{1,6}\]\:\s\w{3}\:)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, you should make sure, every event will go through both transforms, so maybe modify your props like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; [source::C:\Users\test\testsource.log]
 TRANSFORMS-set1 = setnull
 TRANSFORMS-set2 = setparsing
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Another option would be to use only a setnull transform, and make sure the regex from the setparsing does &lt;STRONG&gt;NOT&lt;/STRONG&gt; match. This would be like so:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; ^((?!(alertd\[\d{1,6}\]\:\s\w{3}\:)).)*$
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 30 Jan 2019 12:47:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436677#M76180</guid>
      <dc:creator>DMohn</dc:creator>
      <dc:date>2019-01-30T12:47:47Z</dc:date>
    </item>
    <item>
      <title>Re: Filter Events before Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436678#M76181</link>
      <description>&lt;P&gt;Try this:&lt;BR /&gt;
[source::C:\Users\test\testsource.log]&lt;BR /&gt;
TRANSFORMS-set = setnull,setparsing&lt;/P&gt;</description>
      <pubDate>Wed, 30 Jan 2019 14:19:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-Events-before-Indexing/m-p/436678#M76181</guid>
      <dc:creator>vishaltaneja070</dc:creator>
      <dc:date>2019-01-30T14:19:21Z</dc:date>
    </item>
  </channel>
</rss>

