topic Collect specific rows of a trace file in Knowledge Management

Collect specific rows of a trace file

avitallange — Thu, 01 Aug 2013 13:39:10 GMT

Hi,

Is it possible to collect specific rows of a trace file?

I have one trace file that contains Info traces and Error traces.
I'd like Splunk to collect only the error lines.

For example, below are 2 rows in the trace file:

Time: 07/31/2013 10:35:30, Content: MyInfoMessage, Severity: Information

Time: 07/31/2013 10:45:30, Content: MyInfoMessage, Severity: Error

I'd like to collect with Splunk the second line only, the one that contains "Severity: Error"

Is thre any idea how to do this?

Re: Collect specific rows of a trace file

sowings — Thu, 01 Aug 2013 14:26:06 GMT

The usual way to do this would be to prompt Splunk to drop the messages that are "Severity: Information". This is done with a parse-time transform to set the _queue metadata field for that event to nullQueue. An example is shown below. The assumption is that your sourcetype for the data is "my_sourcetype".

props.conf

[my_sourcetype] TRANSFORMS-0_null_queue = drop_information_messages

transforms.conf

[drop_information_messages] REGEX = Severity:\sInformation DEST_KEY = queue FORMAT = nullQueue

See transforms.conf and look for nullQueue.