https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533452#M89598 <P>Is it possible to use props and transforms in UF?</P> Thu, 17 Dec 2020 13:55:38 GMT sivaranjiniG 2020-12-17T13:55:38Z https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533436#M89595 <P>I have a file with full of logs from different sources. But i want to monitor only logs from a particular network device(cisco-ise). Please help me do it using props</P><P>here in the example wherever&nbsp;&lt;ise-hostname&gt; those has to be monitored(means before going to indexer it should extract ise logs</P><LI-CODE lang="markup">Oct 6 03:44:01 &lt;hostname&gt; rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1294" x-info="http://www.rsyslog.com"] rsyslogd was HUPed Oct 6 03:44:02 &lt;hostname&gt; rhsmd: This system is registered to RHN Classic. Oct 6 03:44:06 &lt;ise-hostname&gt; &lt;hostname&gt;: Dropping Primary discovery request from AP - limit for maximum APs supported 30 reached Oct 6 03:40:16 &lt;ise-hostname&gt; CISE_Failed_Attempts 1 0 2019-10-06 03:40:16.968 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=&lt;ip-address&gt;, Device Port=&lt;PORT&gt;, DestinationIPAddress=&lt;ip-address&gt;, DestinationPort=&lt;PORT&gt;, Protocol=Radius, User-Name=ppp, Acct-Status-Type=Start, Acct-Session Id=sfaksdaksf, Event-Ti mestamp=1569504083, AcsSessionID=&lt;hostname&gt;/asdasd, FailureReason=11007 Could not locate Network Device , Step=333, Step=55, Step=22, Step=11, #44 Oct 6 03:44:09 &lt;hostname&gt;: MOBILESTATION_NOT_FOUND: Could not find the mobile sadas in internal database Oct 6 03:40:26 &lt;ise-hostname&gt; CISE_Failed_Attempts 1 0 2019-10-06 03:40:26.180 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=&lt;ip-address&gt;, Device Port=&lt;port&gt;, DestinationIPAddress=&lt;ip-address&gt;, DestinationPort=&lt;port&gt;, Protocol=Radius, User-Name=wipro, Acct-Status-Type=Start, Acct-Session-Id=sdfsdfs, Event-Timestamp=1569504083, AcsSessionID=dfsdf, FailureReason=33 Could not locate Network Device , Step=343, Step=231, Step=55, Step=11, #44</LI-CODE><P>&nbsp;</P> Thu, 17 Dec 2020 13:10:09 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533436#M89595 sivaranjiniG 2020-12-17T13:10:09Z https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533442#M89596 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.1/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A><BR /><BR />how about <STRONG>queue</STRONG> and <STRONG>nullqueue</STRONG>?</P> Thu, 17 Dec 2020 13:31:09 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533442#M89596 to4kawa 2020-12-17T13:31:09Z https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533452#M89598 <P>Is it possible to use props and transforms in UF?</P> Thu, 17 Dec 2020 13:55:38 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533452#M89598 sivaranjiniG 2020-12-17T13:55:38Z https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533453#M89599 <P>This is not possible at UF.&nbsp;Please use indexer to do this.<BR />This will not affect the license.</P><P>&nbsp;</P><P><A href="https://community.splunk.com/t5/Installation/Filter-Indexing-to-Avoid-License-Issues/m-p/91903" target="_blank">https://community.splunk.com/t5/Installation/Filter-Indexing-to-Avoid-License-Issues/m-p/91903</A></P> Thu, 17 Dec 2020 13:59:29 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-in-extracting-network-events-before-indexing/m-p/533453#M89599 to4kawa 2020-12-17T13:59:29Z