Exclude lines from log at input time

marziaolla · ‎05-30-2018

Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR

After that i want to aggregate some lines.

I'm using a Single instance deployment of Splunk7.1.

Can someone help me to delete the log lines?

Thanks

artist0 · ‎05-30-2018

Don't you forget to modify your props.conf and restart splunk?

marziaolla · ‎05-30-2018

i've modified props.conf and restart but it still doesnt work

HiroshiSatoh · ‎05-30-2018

If you want to filter the captured logs, use "nullQueue".

marziaolla · ‎05-30-2018

I tried with this transforms.conf file

[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

but it doesn't work

HiroshiSatoh · ‎05-30-2018

How is this done?

 [setnull]
 REGEX = (API PROXY|WARN|ERROR)
 DEST_KEY = queue
 FORMAT = nullQueue

artist0 · ‎05-30-2018

Hello, try some solutions from this post:

Are you a member of the Splunk Community?