<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Filtering Data by props.conf and transform.conf in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Filtering-Data-by-props-conf-and-transform-conf/m-p/549618#M91295</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;I need to filter out some events from a syslog source. The events&amp;nbsp; are like this:&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt; &lt;SPAN&gt;10.130.4.203&lt;/SPAN&gt; &lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt;&amp;nbsp;hostname&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;User&lt;/SPAN&gt;&amp;nbsp;****&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;Sign&lt;/SPAN&gt; &lt;SPAN&gt;Off&lt;/SPAN&gt;, &lt;SPAN&gt;ID:&lt;/SPAN&gt; &lt;SPAN&gt;**&lt;/SPAN&gt;, &lt;SPAN&gt;InstID&lt;/SPAN&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;4731, &lt;SPAN&gt;IPAddress:&lt;/SPAN&gt; &lt;SPAN&gt;*****&lt;/SPAN&gt;, &lt;SPAN&gt;FolderID:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Username:&lt;/SPAN&gt; &lt;SPAN&gt;******&lt;/SPAN&gt;, &lt;SPAN&gt;AgentBrand:&lt;/SPAN&gt;&amp;nbsp;-, &lt;SPAN&gt;AgentVersion:&lt;/SPAN&gt; &lt;SPAN&gt;-&lt;/SPAN&gt;, &lt;SPAN&gt;XFerSize:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Error:&lt;/SPAN&gt; 0&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt; &lt;SPAN&gt;10.130.4.203&lt;/SPAN&gt; &lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt;&amp;nbsp;hostname&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;User&lt;/SPAN&gt;&amp;nbsp;****&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;Upload, &lt;SPAN&gt;ID:&lt;/SPAN&gt; &lt;SPAN&gt;**&lt;/SPAN&gt;, &lt;SPAN&gt;InstID&lt;/SPAN&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;4731, &lt;SPAN&gt;IPAddress:&lt;/SPAN&gt; &lt;SPAN&gt;*****&lt;/SPAN&gt;, &lt;SPAN&gt;FolderID:&lt;/SPAN&gt;&amp;nbsp;1234, &lt;SPAN&gt;Username:&lt;/SPAN&gt; &lt;SPAN&gt;******&lt;/SPAN&gt;, &lt;SPAN&gt;AgentBrand:&lt;/SPAN&gt;&amp;nbsp;-, &lt;SPAN&gt;AgentVersion:&lt;/SPAN&gt; &lt;SPAN&gt;-&lt;/SPAN&gt;, &lt;SPAN&gt;XFerSize:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Error:&lt;/SPAN&gt; 0&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt; &lt;SPAN&gt;10.130.4.203&lt;/SPAN&gt; &lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt;&amp;nbsp;hostname&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;User&lt;/SPAN&gt;&amp;nbsp;****&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;Sign&lt;/SPAN&gt; &lt;SPAN&gt;Off&lt;/SPAN&gt;, &lt;SPAN&gt;ID:&lt;/SPAN&gt; &lt;SPAN&gt;**&lt;/SPAN&gt;, &lt;SPAN&gt;InstID&lt;/SPAN&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;2819, &lt;SPAN&gt;IPAddress:&lt;/SPAN&gt; &lt;SPAN&gt;*****&lt;/SPAN&gt;, &lt;SPAN&gt;FolderID:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Username:&lt;/SPAN&gt; &lt;SPAN&gt;******&lt;/SPAN&gt;, &lt;SPAN&gt;AgentBrand:&lt;/SPAN&gt;&amp;nbsp;-, &lt;SPAN&gt;AgentVersion:&lt;/SPAN&gt; &lt;SPAN&gt;-&lt;/SPAN&gt;, &lt;SPAN&gt;XFerSize:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Error:&lt;/SPAN&gt; 0&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have two different InstID (4731 and 2819) and many FolderID, so&amp;nbsp; I need to keep all the events with InstID:2189 and the events whith InstID:4731 and FolderID:0, so my goal is to discard by props.conf and transforms.conf all the events that have&amp;nbsp;InstID:4731 and FolderID different from 0&lt;/P&gt;&lt;P&gt;Any help? Thanks in advance&lt;/P&gt;</description>
    <pubDate>Wed, 28 Apr 2021 13:34:29 GMT</pubDate>
    <dc:creator>marco_massari11</dc:creator>
    <dc:date>2021-04-28T13:34:29Z</dc:date>
    <item>
      <title>Filtering Data by props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filtering-Data-by-props-conf-and-transform-conf/m-p/549618#M91295</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;I need to filter out some events from a syslog source. The events&amp;nbsp; are like this:&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt; &lt;SPAN&gt;10.130.4.203&lt;/SPAN&gt; &lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt;&amp;nbsp;hostname&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;User&lt;/SPAN&gt;&amp;nbsp;****&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;Sign&lt;/SPAN&gt; &lt;SPAN&gt;Off&lt;/SPAN&gt;, &lt;SPAN&gt;ID:&lt;/SPAN&gt; &lt;SPAN&gt;**&lt;/SPAN&gt;, &lt;SPAN&gt;InstID&lt;/SPAN&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;4731, &lt;SPAN&gt;IPAddress:&lt;/SPAN&gt; &lt;SPAN&gt;*****&lt;/SPAN&gt;, &lt;SPAN&gt;FolderID:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Username:&lt;/SPAN&gt; &lt;SPAN&gt;******&lt;/SPAN&gt;, &lt;SPAN&gt;AgentBrand:&lt;/SPAN&gt;&amp;nbsp;-, &lt;SPAN&gt;AgentVersion:&lt;/SPAN&gt; &lt;SPAN&gt;-&lt;/SPAN&gt;, &lt;SPAN&gt;XFerSize:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Error:&lt;/SPAN&gt; 0&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt; &lt;SPAN&gt;10.130.4.203&lt;/SPAN&gt; &lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt;&amp;nbsp;hostname&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;User&lt;/SPAN&gt;&amp;nbsp;****&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;Upload, &lt;SPAN&gt;ID:&lt;/SPAN&gt; &lt;SPAN&gt;**&lt;/SPAN&gt;, &lt;SPAN&gt;InstID&lt;/SPAN&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;4731, &lt;SPAN&gt;IPAddress:&lt;/SPAN&gt; &lt;SPAN&gt;*****&lt;/SPAN&gt;, &lt;SPAN&gt;FolderID:&lt;/SPAN&gt;&amp;nbsp;1234, &lt;SPAN&gt;Username:&lt;/SPAN&gt; &lt;SPAN&gt;******&lt;/SPAN&gt;, &lt;SPAN&gt;AgentBrand:&lt;/SPAN&gt;&amp;nbsp;-, &lt;SPAN&gt;AgentVersion:&lt;/SPAN&gt; &lt;SPAN&gt;-&lt;/SPAN&gt;, &lt;SPAN&gt;XFerSize:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Error:&lt;/SPAN&gt; 0&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt; &lt;SPAN&gt;10.130.4.203&lt;/SPAN&gt; &lt;SPAN&gt;Apr&lt;/SPAN&gt; &lt;SPAN&gt;28&lt;/SPAN&gt; &lt;SPAN&gt;14:15:09&lt;/SPAN&gt;&amp;nbsp;hostname&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;User&lt;/SPAN&gt;&amp;nbsp;****&amp;nbsp;&amp;nbsp;&lt;SPAN&gt;:&lt;/SPAN&gt; &lt;SPAN&gt;Sign&lt;/SPAN&gt; &lt;SPAN&gt;Off&lt;/SPAN&gt;, &lt;SPAN&gt;ID:&lt;/SPAN&gt; &lt;SPAN&gt;**&lt;/SPAN&gt;, &lt;SPAN&gt;InstID&lt;/SPAN&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&amp;nbsp;2819, &lt;SPAN&gt;IPAddress:&lt;/SPAN&gt; &lt;SPAN&gt;*****&lt;/SPAN&gt;, &lt;SPAN&gt;FolderID:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Username:&lt;/SPAN&gt; &lt;SPAN&gt;******&lt;/SPAN&gt;, &lt;SPAN&gt;AgentBrand:&lt;/SPAN&gt;&amp;nbsp;-, &lt;SPAN&gt;AgentVersion:&lt;/SPAN&gt; &lt;SPAN&gt;-&lt;/SPAN&gt;, &lt;SPAN&gt;XFerSize:&lt;/SPAN&gt; &lt;SPAN&gt;0&lt;/SPAN&gt;, &lt;SPAN&gt;Error:&lt;/SPAN&gt; 0&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have two different InstID (4731 and 2819) and many FolderID, so&amp;nbsp; I need to keep all the events with InstID:2189 and the events whith InstID:4731 and FolderID:0, so my goal is to discard by props.conf and transforms.conf all the events that have&amp;nbsp;InstID:4731 and FolderID different from 0&lt;/P&gt;&lt;P&gt;Any help? Thanks in advance&lt;/P&gt;</description>
      <pubDate>Wed, 28 Apr 2021 13:34:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filtering-Data-by-props-conf-and-transform-conf/m-p/549618#M91295</guid>
      <dc:creator>marco_massari11</dc:creator>
      <dc:date>2021-04-28T13:34:29Z</dc:date>
    </item>
    <item>
      <title>Re: Filtering Data by props.conf and transform.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filtering-Data-by-props-conf-and-transform-conf/m-p/550400#M91400</link>
      <description>&lt;P&gt;I would say you have two main choices.&amp;nbsp; Either, try to come up with a regex to match those that you want to discard.&amp;nbsp; Or come up with the regex'es for those that you want to keep.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;For the former, you would use use that regex to send to the nullQueue.&amp;nbsp; For the latter, you would set all events to the nullQueue, then set the events you want to keep to the indexQueue.&amp;nbsp;&lt;/P&gt;&lt;P&gt;There are plenty of examples out here and in the docs on how to do that.&amp;nbsp; For the regex, here is an example of the former that may work for you - white space is assumed to be consistent and the same as your examples.&amp;nbsp; Obviously would need to be tested, but this is attempting to match 4731 events with any FolderID that isn't a single 0.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;InstID:\s*4731,.*?FolderID:\s+(0[^,]|[^0])&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 04 May 2021 13:25:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filtering-Data-by-props-conf-and-transform-conf/m-p/550400#M91400</guid>
      <dc:creator>maciep</dc:creator>
      <dc:date>2021-05-04T13:25:36Z</dc:date>
    </item>
  </channel>
</rss>

