topic Re: Syslog UDP data filtering to index in Getting Data In

Syslog UDP data filtering to index

mookiie2005 — Mon, 26 Aug 2013 16:30:15 GMT

We have data that comes into UDP port 514 on a heavy forwarder that we than send to our indexers. The data looks like the below:

Aug 26 12:23:19 10.142.102.50 Aug 26 12:23:18 pl-wlmuatdp4 [in01_sr][latency][info] wsgw(AutoPolicyManager): trans(76922997)[10.142.99.6]: Latency: 0 47 0 15 47 10 0 194 241 195 241 241 236 226 15 47
host=10.142.102.50 Options| sourcetype=Datapower Options| source=udp:514 Options| Test001=pl-wlmuatdp4 Options

We want to filter the data based on the field "in01_sr" the field has 4 possible values. Does anyone know how we can filter based on this value? Would it be done on the indexers or on the heavy forwarder? We would like to set it up so that we route to a separate index based on that value.

Re: Syslog UDP data filtering to index

yannK — Tue, 27 Aug 2013 15:11:03 GMT

filter on the heavy forwarder if you have any, otherwise on the indexer (the instance that will be Parsing the events first)
you can see this page for nullQueue examples :

http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest

Re: Syslog UDP data filtering to index

mookiie2005 — Mon, 28 Sep 2020 14:39:50 GMT

[Datapower]
TRANSFORMS-routing=st02_sr_routing
TRANSFORMS-routing=in01_sr_routing
TRANSFORMS-routing=pf04_sr_routing
TRANSFORMS-routing=uat_sr_routing

[st02_sr_routing]
REGEX = st02_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_SIT

[in01_sr_routing]
REGEX = in01_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_INT

[pf04_sr_routing]
REGEX = pf04_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_Perf

[uat_sr_routing]
REGEX = uat_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_uat

the above stanzas worked for what we were trying to do.