Archive

Discard event after 10 lines

Path Finder

Hi,
I have many events of 500 lines. Only first 10 lines are important. How to truncate or discard or ignore the remaining lines before indexing?
When I use MAX_EVENTS in props.conf, Splunk breaks event after 10 lines and creats new event. Tried using BREAK_ONLY_BEFORE, LINEBREAK but nothing seems working.

Please suggest props.conf entry to index only 10 lines from event.

Tags (1)
0 Karma

Super Champion

Check this one -

In inputs.conf
[monitor:///app/tmp/testfile]
sourcetype = testSourceType
index = main
disabled = 0
whitelist = .log$

In props.conf
[testSourceType]
TRANSFORMS-shortenEvents = keepOnly10Lines

In transforms.conf
[keepOnly10Lines]
REGEX = (?m)^((.*\n){10})((.*\n)*)
FORMAT = $1
DEST_KEY = _raw

0 Karma

Path Finder

Hi,
Thanks for the reply.
I am indexing file from Web UI. I created props.conf and transforms.conf in default directory as mentioned.
Restarted Splunk. Then, when I select sourcetype as" testSourceType", I see transforms name in Advance but the right hand side prieview still shows large events and not discarding lines after 10.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!