https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49490#M9394 <P>I'm going to presume that your source application is using log4j as its logging framework(because activemq uses log4j) , therefore you could declare a seperate log4j appender in your log4j config file that outputs <STRONG>only</STRONG> the log data you want to send to the Splunk Indexer.</P> Thu, 28 Jul 2011 04:55:45 GMT Damien_Dallimor 2011-07-28T04:55:45Z https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49489#M9393 <P>Hi </P> <P>Is there a way to extract a part of log event before it being indexed to splunk server for example<BR /> Below is the entire event.</P> <PRE><CODE>==================== {ActiveMQ Session Task} DEBUG LogCollector - start[1311770824360] time[474] tag[card;cardCreation;cardCreation End] host[hagrid.hyd.wc;127.0.0.1] {ActiveMQ Session Task} DEBUG PerfLoggerDAOImpl - getting ServiceOperationInfo Hibernate: select serviceope1_.id as id2_, serviceope1_.service_id as service2_2_, serviceope1_.operation_name as operation3_2_, serviceope1_.operation_descr as operation4_2_, serviceope1_.status as status2_ from service_info serviceinf0_, service_operation_info serviceope1_ where serviceope1_.service_id=serviceinf0_.id and serviceinf0_.name=? and serviceope1_.operation_name=? Hibernate: select serviceinf0_.id as id1_0_, serviceinf0_.name as name1_0_, serviceinf0_.description as descript3_1_0_, serviceinf0_.type as type1_0_, serviceinf0_.status as status1_0_ from service_info serviceinf0_ where serviceinf0_.id=? {ActiveMQ Session Task} DEBUG PerfLoggerDAOImpl - saving TaskExecutionInfo instance ============= </CODE></PRE> <P>But I want only to see this "start[1311770824360] time[474] host[hagrid.hyd.wc;127.0.0.1]" in my indexer and the rest of part should be ignored. the filtering to be done on the client side only.<BR /> Is this possible.<BR /> Regards,<BR /> Harish</P> Wed, 27 Jul 2011 17:05:33 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49489#M9393 dhs_harry08 2011-07-27T17:05:33Z https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49490#M9394 <P>I'm going to presume that your source application is using log4j as its logging framework(because activemq uses log4j) , therefore you could declare a seperate log4j appender in your log4j config file that outputs <STRONG>only</STRONG> the log data you want to send to the Splunk Indexer.</P> Thu, 28 Jul 2011 04:55:45 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49490#M9394 Damien_Dallimor 2011-07-28T04:55:45Z https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49491#M9395 <P>I am actually using splunk forwarder. Is it possible to specify in splunk forwarding config files or write some script to filter out the my application logs.</P> <P>Regards,<BR /> Harish</P> Thu, 28 Jul 2011 11:25:51 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-from-logs-before-indexing-to-server/m-p/49491#M9395 dhs_harry08 2011-07-28T11:25:51Z