https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466227#M80336 <P>Hello, </P> <P>I really don't know what is going on in my splunk. </P> <P>I tried to route data from main index to iis_nonprod. That is not working. </P> <P>I kept props and transforms in HF. Because the data is touting HF before going to IDX.</P> <P>source: e:\IISLogs\W3SVC1\u_ex191029.log</P> <P>props: <BR /> [source::e:\IISLogs\W3SVC1*.log]<BR /> TRANSFORMS-filter = routeData</P> <P>tried both REGEX = . and REGEX= . and REGEX =. but nothing is working.</P> <P>transforms:<BR /> [routeData]<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = iis_nonprod</P> <P>but still the data is not routing. </P> <P>By the way. the above filterings are not working. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>can you please help me with that? </P> Wed, 30 Sep 2020 02:43:32 GMT satyaallaparthi 2020-09-30T02:43:32Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466214#M80323 <P>Hello, </P> <P>I have tons of data that are ingesting to some index="abc". </P> <P>But I want to filter the whole data and want to ingest the log with the words "Events,Transaction,Payment" and then want to route that data to index=event_logs</P> <P>I wrote the below props and transforms. But no luck.</P> <P>Props:</P> <P>TRANSFORMS-filter = null, IQ,Events</P> <P>Transforms:</P> <P>[null]<BR /> REGEX= .<BR /> DEST_KEY = Queue<BR /> FORMAT = nullQueue</P> <P>[IQ]<BR /> REGEX= .+(Event|Payment|Transaction).+<BR /> DEST_KEY = Queue<BR /> FORMAT = indexQueue</P> <P>[Events]<BR /> REGEX= .+(Event|Payment|Transaction).+<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = Event_log</P> <P>Please do help me with the issue. </P> <P>Thanks in Advance</P> Wed, 30 Sep 2020 02:42:12 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466214#M80323 satyaallaparthi 2020-09-30T02:42:12Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466215#M80324 <P>Hi satyaallaparthi,<BR /> Three notes:<BR /> at first, where do you have these conf files?<BR /> You have to put them on Indexers or (when present) on Heavy Forwarders, not on Universal Forwarder.<BR /> For more information see at <A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Routeandfilterdatad</A> .</P> <P>Then the regex should be a little different:</P> <PRE><CODE>REGEX=Event|Payment|Transaction </CODE></PRE> <P>.<BR /> At least, why do you need to override index? is it not possible to set it on inputs.conf?</P> <P>Ciao.<BR /> Giuseppe</P> Fri, 25 Oct 2019 14:41:20 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466215#M80324 gcusello 2019-10-25T14:41:20Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466216#M80325 <P>Hello, </P> <P>Yes, I did tried that before doing this.. but no luck.. that is why I changed the regex.. </P> <P>No, that is not possible to set in Inputs. Because I am getting the data from other instance. </P> <P>Thanks, </P> Fri, 25 Oct 2019 14:51:46 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466216#M80325 satyaallaparthi 2019-10-25T14:51:46Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466217#M80326 <P>Hi satyaallaparthi,<BR /> let me understand:</P> <UL> <LI>you have these conf files on Indexer, not on Universal Forwarders and you don't have intermediate Heavy Forwarders;</LI> <LI>you tried my rex and you rex both without success;</LI> <LI>you restarted Splunk after conf files updates.</LI> </UL> <P>Could you try without the third command in props.conf?</P> <PRE><CODE>TRANSFORMS-filter = null, IQ </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Fri, 25 Oct 2019 14:58:52 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466217#M80326 gcusello 2019-10-25T14:58:52Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466218#M80327 <P>But I want the third one to route data to new index. </P> <P>And yes, I have heavy forwarder is between indexer and UF. I restarted the server after I placed. But no luck</P> <P>Thanks, </P> Fri, 25 Oct 2019 17:21:25 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466218#M80327 satyaallaparthi 2019-10-25T17:21:25Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466219#M80328 <P>Casing matters; use this EXACTLY:</P> <H4>Props:</H4> <PRE><CODE>TRANSFORMS-filter = null_all_my_stuff, unnull_IQ_stuff, stuff_to_different_index </CODE></PRE> <H4>Transforms:</H4> <PRE><CODE>[null_all_my_stuff] REGEX= . DEST_KEY = queue FORMAT = nullQueue [unnull_IQ_stuff] REGEX= (Event|Payment|Transaction) DEST_KEY = queue FORMAT = indexQueue [stuff_to_different_index] REGEX= (Event|Payment|Transaction) DEST_KEY = _MetaData:Index FORMAT = Event_log </CODE></PRE> Sat, 26 Oct 2019 02:51:50 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466219#M80328 woodcock 2019-10-26T02:51:50Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466220#M80329 <P>Yes, but what about the 3rd one for routing data to another index ? </P> <P>As I mentioned, I want to route data to new index. Which is events_logs. But that is not working.. </P> <P>That is the reason I posted for help. </P> <P>Thanks, </P> Sat, 26 Oct 2019 03:13:57 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466220#M80329 satyaallaparthi 2019-10-26T03:13:57Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466221#M80330 <P>There is no description of such a requirement in the OP. Edit it and add those details.</P> Sat, 26 Oct 2019 04:10:56 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466221#M80330 woodcock 2019-10-26T04:10:56Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466222#M80331 <P>Hi satyaallaparthi,<BR /> If you have an Heavy Forwarder, you have to put conf files on Heavy Forwarder.</P> <P>I hint to use only the first two commands to debug the situation, I know that you need also the third command, but usually the correct approach is to debug problem by problem.</P> <P>Ciao.<BR /> Giuseppe</P> Sat, 26 Oct 2019 06:19:35 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466222#M80331 gcusello 2019-10-26T06:19:35Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466223#M80332 <P>Yes, I did edited now. </P> <P>[Events]<BR /> REGEX= .+(Event|Payment|Transaction).+<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = Event_log</P> <P>Thanks,</P> Wed, 30 Sep 2020 02:45:18 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466223#M80332 satyaallaparthi 2020-09-30T02:45:18Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466224#M80333 <P>Sure, </P> <P>I will do the the step by step process and will let u know.</P> <P>Thanks, </P> Sat, 26 Oct 2019 13:10:39 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466224#M80333 satyaallaparthi 2019-10-26T13:10:39Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466225#M80334 <P>If you are sure that your settings are correct, then it must be something else. If you are doing a <CODE>sourcetype override</CODE>/overwrite, you must use the <EM>ORIGINAL</EM> value, <EM>NOT</EM> the new value. You must deploy your settings to the <CODE>first full instance(s)</CODE> of Splunk that handle the events (usually either the <CODE>HF tier</CODE> if you use one, or else your <CODE>Indexer tier</CODE>), restart all Splunk instances there, send in new events (old events will stay broken), then test using <CODE>_index_earliest=-5m</CODE> to be absolutely certain that you are only examining the newly indexed events.</P> Sat, 26 Oct 2019 15:21:34 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466225#M80334 woodcock 2019-10-26T15:21:34Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466226#M80335 <P>OK, I updated my original answer at the top of this thread. The main thing is that <CODE>Queue</CODE> must be <CODE>queue</CODE>. See my other answer if it still doesn't work.</P> Sat, 26 Oct 2019 15:41:32 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466226#M80335 woodcock 2019-10-26T15:41:32Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466227#M80336 <P>Hello, </P> <P>I really don't know what is going on in my splunk. </P> <P>I tried to route data from main index to iis_nonprod. That is not working. </P> <P>I kept props and transforms in HF. Because the data is touting HF before going to IDX.</P> <P>source: e:\IISLogs\W3SVC1\u_ex191029.log</P> <P>props: <BR /> [source::e:\IISLogs\W3SVC1*.log]<BR /> TRANSFORMS-filter = routeData</P> <P>tried both REGEX = . and REGEX= . and REGEX =. but nothing is working.</P> <P>transforms:<BR /> [routeData]<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = iis_nonprod</P> <P>but still the data is not routing. </P> <P>By the way. the above filterings are not working. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>can you please help me with that? </P> Wed, 30 Sep 2020 02:43:32 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466227#M80336 satyaallaparthi 2020-09-30T02:43:32Z https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466228#M80337 <P>Hello,</P> <P>I really don't know what is going on in my splunk.</P> <P>I tried to route data from main index to iis_nonprod. That is not working.</P> <P>I kept props and transforms in HF. Because the data is touting HF before going to IDX.</P> <P>source: e:\IISLogs\W3SVC1\u_ex191029.log</P> <P>props:<BR /> [source::e:\IISLogs\W3SVC1*.log]<BR /> TRANSFORMS-filter = routeData</P> <P>tried both REGEX = . and REGEX= . and REGEX =. but nothing is working.</P> <P>transforms:<BR /> [routeData]<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = iis_nonprod</P> <P>but still the data is not routing.</P> <P>By the way. the above filterings are not working. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>can any one please help me with that?</P> Wed, 30 Sep 2020 02:43:35 GMT https://community.splunk.com/t5/Getting-Data-In/Need-Help-in-filtering-data-ad-ingest-few-of-the-data/m-p/466228#M80337 satyaallaparthi 2020-09-30T02:43:35Z