https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/543769#M154038 <P>Hi,</P><P>You can use the below filter in the Syslog config. And it will filter only required logs.</P><P><STRONG>filter test{ match( "sgt=4" value("MESSAGE"));};</STRONG></P><P>If you need to add an additional filter you can just use OR operation.</P><P><STRONG>filter test{ match( "sgt=4" value("MESSAGE"));&nbsp;or match( "provide your keyword" value("MESSAGE"));};</STRONG></P><P>if this answer helps you then upvote it<STRONG>.</STRONG></P> Mon, 15 Mar 2021 05:05:28 GMT Vardhan 2021-03-15T05:05:28Z https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/543768#M154037 <P>We are receiving around 300gigs of syslog data everyday and we want to filter all the logs and index only what the network team wants us to. what is the configuration changes that can help me to achieve this?&nbsp;</P><P>&nbsp;</P><P>How do I filter all the unnecessary logs from the syslog server?</P><P>I just need to index the events, where one of the field says sgt=4</P><P>&nbsp;</P><P>Thanks &amp; Regards,</P><P>Manyutej Sanjeev</P> Mon, 15 Mar 2021 04:38:30 GMT https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/543768#M154037 novotxms 2021-03-15T04:38:30Z https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/543769#M154038 <P>Hi,</P><P>You can use the below filter in the Syslog config. And it will filter only required logs.</P><P><STRONG>filter test{ match( "sgt=4" value("MESSAGE"));};</STRONG></P><P>If you need to add an additional filter you can just use OR operation.</P><P><STRONG>filter test{ match( "sgt=4" value("MESSAGE"));&nbsp;or match( "provide your keyword" value("MESSAGE"));};</STRONG></P><P>if this answer helps you then upvote it<STRONG>.</STRONG></P> Mon, 15 Mar 2021 05:05:28 GMT https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/543769#M154038 Vardhan 2021-03-15T05:05:28Z https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/544884#M154300 <P>Any other answers please?&nbsp;</P> Tue, 23 Mar 2021 07:25:53 GMT https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/544884#M154300 novotxms 2021-03-23T07:25:53Z https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/544946#M154313 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232479">@novotxms</a>,</P><P>You can try sample below;</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A>&nbsp;</P><LI-CODE lang="markup">[source::/var/log/messages] TRANSFORMS-set= setnull,setparsing transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = sgt\=4 DEST_KEY = queue FORMAT = indexQueue</LI-CODE><P>&nbsp;</P> Tue, 23 Mar 2021 14:33:44 GMT https://community.splunk.com/t5/Splunk-Search/Syslog-Filteration/m-p/544946#M154313 scelikok 2021-03-23T14:33:44Z