Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Custom Filters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using the Unversal Forwarder to 'monitor' log files on the clients but I just can't index everything forwarded, there's too much data.
I know I can use REGEX to filter the data before it's indexed using the nullQueue example in the DOC. That's fine, it's working.
My problem is that filtering by REGEX is not flexible enough for what I need. Ideally I'd like to plug in a script (python or other) to only let some of the data reach the Indexer.
Is that possible at all? Or am I chasing a dead-end?
Regards,
Didier,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not possible to filter using anything other than regular expressions at index time.
One possible way to achieve this is to replace your file monitor input with a scripted input, and then implement all your filtering logic in the script you write for reading the input data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not possible to filter using anything other than regular expressions at index time.
One possible way to achieve this is to replace your file monitor input with a scripted input, and then implement all your filtering logic in the script you write for reading the input data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That should do. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(Late comment) Depending on what you're trying to do, you could also use SEDCMD in props.conf to throw away the parts of the events that you don't want indexed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
