https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456937#M95260 <P>Hey niddhi,</P> <P>Refer this link:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad</A><BR /> You need to add the filters in props and transforms.</P> <P>You need to add the parameters in the sourcetype stanza(sourcetype = aws:cloudwatch) in the props and transforms.<BR /> Create this stanza in /opt/splunk/etc/apps/aws/local and not in default.<BR /> Thou, you will have to verify the path as i am not sure how the app name will reflect.</P> <P>Let me know if this helps!!</P> Fri, 17 May 2019 11:08:06 GMT deepashri_123 2019-05-17T11:08:06Z https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456933#M95256 <P>Hi,</P> <P>I am getting cloudwatch logs data into Splunk. Right now, i am getting all the log data but i want only specific data(for eg, only the json stream being populated in logs once in a while).</P> <P>How can i filter the data before Splunk ingest all of it from Cloudwatch Logs.</P> <P>Thanks,<BR /> Niddhi</P> Thu, 16 May 2019 19:05:41 GMT https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456933#M95256 niddhi 2019-05-16T19:05:41Z https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456934#M95257 <P>multiple options are there for you<BR /> 1. If you are collecting using HF, you can do props/transforms to filter messages<BR /> 2. If you are using standalone indexer, you can do props/transforms at indexer tier to filter it</P> <P>Plenty of examples are present in this forum. But until unless you provide sample data and sample configuration you have, we don't really know which field to exclude etc.</P> Thu, 16 May 2019 20:40:03 GMT https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456934#M95257 koshyk 2019-05-16T20:40:03Z https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456935#M95258 <P>I have done it by installing and configuring splunk add On for AWS. I already had the log groups defined. So just pointing to the log groups in the cloudwatch log config did the trick to get the data. </P> <P>There are props.conf and transform.conf specific to this AddOn for AWS(different location on the splunk under apps.</P> <P>I am very nee to Splunk and have tried configuring props.conf and transform.conf without any luck.<BR /> Can you give me an example, as in what to give for source, sourcetype and where to define filter/pattern for cloudwatch logs.</P> <P>Thanks</P> Thu, 16 May 2019 21:21:07 GMT https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456935#M95258 niddhi 2019-05-16T21:21:07Z https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456936#M95259 <P>this is the link for configuring the cloudwatch logs: <A href="https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs">https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs</A></P> Thu, 16 May 2019 21:22:03 GMT https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456936#M95259 niddhi 2019-05-16T21:22:03Z https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456937#M95260 <P>Hey niddhi,</P> <P>Refer this link:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad</A><BR /> You need to add the filters in props and transforms.</P> <P>You need to add the parameters in the sourcetype stanza(sourcetype = aws:cloudwatch) in the props and transforms.<BR /> Create this stanza in /opt/splunk/etc/apps/aws/local and not in default.<BR /> Thou, you will have to verify the path as i am not sure how the app name will reflect.</P> <P>Let me know if this helps!!</P> Fri, 17 May 2019 11:08:06 GMT https://community.splunk.com/t5/Getting-Data-In/To-filter-data-from-cloudwatch-logs-to-splunk/m-p/456937#M95260 deepashri_123 2019-05-17T11:08:06Z