https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515484#M87294 <P>If you can produce a regular expression that defines a JSON event then you can use a transform to filter them out.</P><P>Put this in a tranforms.conf file</P><LI-CODE lang="markup">[indexdata] REGEX = . DEST_KEY = queue FORMAT = indexQueue [filterjson] REGEX = &lt;your regex that detects JSON messages&gt; DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>Then add this to the corresponding props.conf file:</P><LI-CODE lang="markup">[mysourcetype] TRANSFORMS-nojson = indexdata, filterjson</LI-CODE> Fri, 21 Aug 2020 15:01:05 GMT richgalloway 2020-08-21T15:01:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515349#M87280 <P>Hi,</P> <P>I want to extract all the log events (normal lines) except JSON messages. There should be an easy way for this. Any hints, please?</P> <P>&nbsp;</P> <P>My log file is a mix something like below</P> <P>----------</P> <P>normal line</P> <P>normal line</P> <P>json events {</P> <P>{json messages}</P> <P>}</P> <P>normal line</P> <P>etc</P> <P>etc</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Naresh</P> Fri, 21 Aug 2020 21:58:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515349#M87280 nareshinsvu 2020-08-21T21:58:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515484#M87294 <P>If you can produce a regular expression that defines a JSON event then you can use a transform to filter them out.</P><P>Put this in a tranforms.conf file</P><LI-CODE lang="markup">[indexdata] REGEX = . DEST_KEY = queue FORMAT = indexQueue [filterjson] REGEX = &lt;your regex that detects JSON messages&gt; DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>Then add this to the corresponding props.conf file:</P><LI-CODE lang="markup">[mysourcetype] TRANSFORMS-nojson = indexdata, filterjson</LI-CODE> Fri, 21 Aug 2020 15:01:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515484#M87294 richgalloway 2020-08-21T15:01:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515677#M87314 <P data-unlink="true">Hi @<SPAN class="UserName lia-user-name lia-user-rank-SplunkTrust lia-component-message-view-widget-author-username"><SPAN class="login-bold">richgalloway</SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P>I am struggling with regex actually.&nbsp; My regex is only capturing partial json message (until the first "}")</P><P>I am trying to search all lines between "line starting with {" and "line starting with }". But ^ is not picking my search</P><P>So, I am stuck with this regex currently&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp; \{[\s\S]*?\}</P><P>{</P><P>&nbsp; {</P><P>&nbsp;&nbsp;&nbsp; {},</P><P>&nbsp; },</P><P>}.</P> Mon, 24 Aug 2020 03:25:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515677#M87314 nareshinsvu 2020-08-24T03:25:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515720#M87323 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156769">@nareshinsvu</a>&nbsp;</P><P>Regular expressions require a fairly strict definition. You haven't presented anything here.</P> Mon, 24 Aug 2020 08:36:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-all-log-events-excluding-JSON-messages/m-p/515720#M87323 to4kawa 2020-08-24T08:36:34Z