Getting Data In

Exclude lines from log at input time

marziaolla
Path Finder

Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR

After that i want to aggregate some lines.

I'm using a Single instance deployment of Splunk7.1.

Can someone help me to delete the log lines?

Thanks

0 Karma

artist0
New Member

Don't you forget to modify your props.conf and restart splunk?

0 Karma

marziaolla
Path Finder

i've modified props.conf and restart but it still doesnt work

0 Karma

HiroshiSatoh
Champion

If you want to filter the captured logs, use "nullQueue".

Filter event data and send to queues
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma

marziaolla
Path Finder

I tried with this transforms.conf file

[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

but it doesn't work

0 Karma

HiroshiSatoh
Champion

How is this done?

 [setnull]
 REGEX = (API PROXY|WARN|ERROR)
 DEST_KEY = queue
 FORMAT = nullQueue
0 Karma

artist0
New Member
0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...