Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Exclude lines from log at input time

marziaolla
Explorer
‎05-30-2018 02:50 AM

Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR

After that i want to aggregate some lines.

I'm using a Single instance deployment of Splunk7.1.

Can someone help me to delete the log lines?

Thanks

0 Karma
Reply

artist0
New Member
‎05-30-2018 06:24 AM

Don't you forget to modify your props.conf and restart splunk?

0 Karma
Reply

marziaolla
Explorer
‎05-30-2018 06:46 AM

i've modified props.conf and restart but it still doesnt work

0 Karma
Reply

HiroshiSatoh
Champion
‎05-30-2018 03:14 AM

If you want to filter the captured logs, use "nullQueue".

Filter event data and send to queues
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma
Reply

marziaolla
Explorer
‎05-30-2018 06:15 AM

I tried with this transforms.conf file 

[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

but it doesn't work

0 Karma
Reply

HiroshiSatoh
Champion
‎05-30-2018 08:54 AM

How is this done?

 [setnull]
 REGEX = (API PROXY|WARN|ERROR)
 DEST_KEY = queue
 FORMAT = nullQueue
0 Karma
Reply

artist0
New Member
‎05-30-2018 03:09 AM

Hello, try some solutions from this post:

https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!