Getting Data In

Exclude lines from log at input time

marziaolla
Path Finder

Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR

After that i want to aggregate some lines.

I'm using a Single instance deployment of Splunk7.1.

Can someone help me to delete the log lines?

Thanks

0 Karma

artist0
New Member

Don't you forget to modify your props.conf and restart splunk?

0 Karma

marziaolla
Path Finder

i've modified props.conf and restart but it still doesnt work

0 Karma

HiroshiSatoh
Champion

If you want to filter the captured logs, use "nullQueue".

Filter event data and send to queues
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma

marziaolla
Path Finder

I tried with this transforms.conf file

[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

but it doesn't work

0 Karma

HiroshiSatoh
Champion

How is this done?

 [setnull]
 REGEX = (API PROXY|WARN|ERROR)
 DEST_KEY = queue
 FORMAT = nullQueue
0 Karma

artist0
New Member
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...