<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Filter data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383174#M94967</link>
    <description>&lt;P&gt;Hello , &lt;BR /&gt;
I need to filter data in a heavy forwarder ,&lt;BR /&gt;
by discarding some of event : i have the field "id" in my data this field contains many type , i need to discard the id type id="1200006" &lt;/P&gt;

&lt;H2&gt;So , i try with this :&lt;/H2&gt;

&lt;P&gt;Propos.conf : &lt;BR /&gt;
[source::tcp:516]&lt;BR /&gt;
TRANSFORMS-null= setnull&lt;/P&gt;

&lt;P&gt;transforms.conf : &lt;BR /&gt;
 [setnull]&lt;BR /&gt;
 REGEX =[.&lt;EM&gt;1200006.&lt;/EM&gt;]&lt;BR /&gt;
 DEST_KEY = queue&lt;BR /&gt;
 FORMAT = nullQueue&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;but it does not give a result !&lt;BR /&gt;
Any help please , Thank you&lt;/P&gt;</description>
    <pubDate>Wed, 10 Jul 2019 08:26:13 GMT</pubDate>
    <dc:creator>aalaa</dc:creator>
    <dc:date>2019-07-10T08:26:13Z</dc:date>
    <item>
      <title>Filter data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383174#M94967</link>
      <description>&lt;P&gt;Hello , &lt;BR /&gt;
I need to filter data in a heavy forwarder ,&lt;BR /&gt;
by discarding some of event : i have the field "id" in my data this field contains many type , i need to discard the id type id="1200006" &lt;/P&gt;

&lt;H2&gt;So , i try with this :&lt;/H2&gt;

&lt;P&gt;Propos.conf : &lt;BR /&gt;
[source::tcp:516]&lt;BR /&gt;
TRANSFORMS-null= setnull&lt;/P&gt;

&lt;P&gt;transforms.conf : &lt;BR /&gt;
 [setnull]&lt;BR /&gt;
 REGEX =[.&lt;EM&gt;1200006.&lt;/EM&gt;]&lt;BR /&gt;
 DEST_KEY = queue&lt;BR /&gt;
 FORMAT = nullQueue&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;but it does not give a result !&lt;BR /&gt;
Any help please , Thank you&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2019 08:26:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383174#M94967</guid>
      <dc:creator>aalaa</dc:creator>
      <dc:date>2019-07-10T08:26:13Z</dc:date>
    </item>
    <item>
      <title>Re: Filter data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383175#M94968</link>
      <description>&lt;P&gt;That regex is incorrect. Square brackets are for defining character sets. In this case your regex will match any event containing literal dots, 1, 2, 0 or 6. So it would likely send pretty much all your events to the nullQueue. Just use &lt;CODE&gt;REGEX = id="1200006"&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;You say "it does not give a result !". Do you mean you don't see any events anymore (explained by incorrect regex) or do you mean the config seems to have no effect? In that latter case: have you restarted the HF after adding that config? Have you checked using btool that that config is correctly interpreted by Splunk? Perhaps conflict with other transforms (setnull is not a very unique name and it must be a unique name).&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2019 09:08:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383175#M94968</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2019-07-10T09:08:01Z</dc:date>
    </item>
    <item>
      <title>Re: Filter data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383176#M94969</link>
      <description>&lt;H2&gt;i try with this : &lt;/H2&gt;

&lt;P&gt;Transofrms.conf : &lt;BR /&gt;
[setnull]&lt;BR /&gt;
REGEX = id ="1200006"&lt;BR /&gt;
DEST_KEY = queue&lt;BR /&gt;
FORMAT = nullQueue&lt;/P&gt;

&lt;P&gt;Propos.conf : &lt;BR /&gt;
 [source::tcp://516]&lt;BR /&gt;
 TRANSFORMS-null= setnull&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;same result , the event with the id=1200006 rest exist&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2019 09:36:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383176#M94969</guid>
      <dc:creator>aalaa</dc:creator>
      <dc:date>2019-07-10T09:36:17Z</dc:date>
    </item>
    <item>
      <title>Re: Filter data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383177#M94970</link>
      <description>&lt;P&gt;Then have a look at the second part of my answer. And I think you can keep the [source::tcp:516] as you had it initially.&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2019 09:39:45 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-data/m-p/383177#M94970</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2019-07-10T09:39:45Z</dc:date>
    </item>
  </channel>
</rss>

