Solved: Custom Filters

didier_again · ‎12-04-2012

I'm using the Unversal Forwarder to 'monitor' log files on the clients but I just can't index everything forwarded, there's too much data.

I know I can use REGEX to filter the data before it's indexed using the nullQueue example in the DOC. That's fine, it's working.

My problem is that filtering by REGEX is not flexible enough for what I need. Ideally I'd like to plug in a script (python or other) to only let some of the data reach the Indexer.

Is that possible at all? Or am I chasing a dead-end?

Regards,
Didier,

Ayn · ‎12-04-2012

It is not possible to filter using anything other than regular expressions at index time.

One possible way to achieve this is to replace your file monitor input with a scripted input, and then implement all your filtering logic in the script you write for reading the input data.

View solution in original post

Ayn · ‎12-04-2012

It is not possible to filter using anything other than regular expressions at index time.

One possible way to achieve this is to replace your file monitor input with a scripted input, and then implement all your filtering logic in the script you write for reading the input data.

didier_again · ‎12-04-2012

That should do. Thank you.

DUThibault · ‎04-23-2018

(Late comment) Depending on what you're trying to do, you could also use SEDCMD in props.conf to throw away the parts of the events that you don't want indexed.

Custom Filters

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update