Getting Data In

Exclude lines from log at input time

Explorer

Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR

After that i want to aggregate some lines.

I'm using a Single instance deployment of Splunk7.1.

Can someone help me to delete the log lines?

Thanks

0 Karma

New Member

Don't you forget to modify your props.conf and restart splunk?

0 Karma

Explorer

i've modified props.conf and restart but it still doesnt work

0 Karma

Champion

If you want to filter the captured logs, use "nullQueue".

Filter event data and send to queues
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma

Explorer

I tried with this transforms.conf file

[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

but it doesn't work

0 Karma

Champion

How is this done?

 [setnull]
 REGEX = (API PROXY|WARN|ERROR)
 DEST_KEY = queue
 FORMAT = nullQueue
0 Karma

New Member
0 Karma