Getting Data In

Exclude lines from log at input time

marziaolla
Path Finder

Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR

After that i want to aggregate some lines.

I'm using a Single instance deployment of Splunk7.1.

Can someone help me to delete the log lines?

Thanks

0 Karma

artist0
New Member

Don't you forget to modify your props.conf and restart splunk?

0 Karma

marziaolla
Path Finder

i've modified props.conf and restart but it still doesnt work

0 Karma

HiroshiSatoh
Champion

If you want to filter the captured logs, use "nullQueue".

Filter event data and send to queues
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma

marziaolla
Path Finder

I tried with this transforms.conf file

[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

but it doesn't work

0 Karma

HiroshiSatoh
Champion

How is this done?

 [setnull]
 REGEX = (API PROXY|WARN|ERROR)
 DEST_KEY = queue
 FORMAT = nullQueue
0 Karma

artist0
New Member
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...