https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37113#M178613 <P>Correction: props.conf<BR /> [source::d:\TGNI\Logs*.log] <BR /> TRANSFORMS-null= setnull</P> <P>Correction to transforms.conf<BR /> [setnull] <BR /> REGEX = Category\:\sInfo<BR /> DEST_KEY = queue <BR /> FORMAT = nullQueue</P> <P>I cant still discard the info events. Where am i doing mistake?</P> Tue, 19 Feb 2013 23:40:45 GMT pdash 2013-02-19T23:40:45Z https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37112#M178612 <P>Below is the raw data that am getting. I want to extract the events where category is Error.<BR /> For this am doing this in props.conf.</P> <P>[source::d:\TGNI\Logs*.log] <BR /> TRANSFORMS-null= setnull</P> <P>And transform.conf:<BR /> [setnull] <BR /> REGEX = Category: Error<BR /> DEST_KEY = queue <BR /> FORMAT = nullQueue</P> <P>Is this the right way to do?</P> <P>1 » 2/18/13<BR /> 6:48:54.000 PM<BR /><BR /> Timestamp: 2/18/2013 6:48:54 PM<BR /> Category: Error<BR /> Machine: devmundia01<BR /> IP Address: <BR /> Customer ID: <BR /> Request URL: <BR /> Referrer URL: <BR /> Browser Name: <BR /> Browser Version: <BR /> User Agent: <BR /> Show all 24 lines<BR /> host=devmundia01 Options| sourcetype=mundiaerr Options| source=d:\TGNI\Logs\tgni-mundia.2013-02-19.log Options</P> <P>2 » 2/18/13<BR /> 6:48:53.000 PM<BR /><BR /> Timestamp: 2/18/2013 6:48:53 PM<BR /> Category: Info<BR /> Machine: devmundia01<BR /> IP Address: 10.6.8.28 (3yu4xv0x5bbyk5345sqcbegq)<BR /> Customer ID: <BR /> Request URL: <A href="http://10.13.65.105/">http://10.13.65.105/</A><BR /> Referrer URL: <BR /> Browser Name: Jakarta Commons-HttpClient<BR /> Browser Version: 0.0<BR /> User Agent: Jakarta Commons-HttpClient/3.0.1<BR /> Show all 16 lines<BR /> host=devmundia01 Options| sourcetype=mundiaerr Options| source=d:\TGNI\Logs\tgni-mundia.2013-02-19.log Options</P> Tue, 19 Feb 2013 23:27:18 GMT https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37112#M178612 pdash 2013-02-19T23:27:18Z https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37113#M178613 <P>Correction: props.conf<BR /> [source::d:\TGNI\Logs*.log] <BR /> TRANSFORMS-null= setnull</P> <P>Correction to transforms.conf<BR /> [setnull] <BR /> REGEX = Category\:\sInfo<BR /> DEST_KEY = queue <BR /> FORMAT = nullQueue</P> <P>I cant still discard the info events. Where am i doing mistake?</P> Tue, 19 Feb 2013 23:40:45 GMT https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37113#M178613 pdash 2013-02-19T23:40:45Z https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37114#M178614 <P>Splunk applies your transformation as part of the parsing process - before the raw data is written to the data store. Therefore, your transform will <EM>only</EM> apply to <STRONG>new</STRONG> data. Data that has already been indexed will not be removed.</P> <P>You will have to remove the data from the index and reindex it, if you want your changes to apply to existing data.</P> <P>Second, your <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> files must reside on the Splunk server(s) doing the parsing. Usually this means that the .conf files go on the indexer(s). However, if you are using a <EM>heavy</EM> forwarder, it will be doing the parsing and so the .conf files will go there instead.</P> <P>Finally, it is possible that you need to update the regex to</P> <PRE><CODE>REGEX = (?m)Category\:\sInfo </CODE></PRE> Wed, 20 Feb 2013 02:45:03 GMT https://community.splunk.com/t5/Splunk-Search/Discarding-specific-event-and-keeping-the-rest/m-p/37114#M178614 lguinn2 2013-02-20T02:45:03Z