Re: Filter Events before Indexing

mh0712 · ‎01-29-2019

I get events from a universal forwarder. If "alertd[123456]: ABC:" be in the event, i would like to index it. All other events can be ignored.

Do you have a solution?

2019-01-23T14:22:45+01:00 host kernel: [123456.789101] ll header: yf:ff:ff:ef:ff:ff:00:00:00:00:88:05:01:00
2019-01-23T14:22:49+01:00 host alertd[456789]: get_db_c(): ......
2019-01-23T14:22:50+01:00 host alertd[123456]: CEF:0|abcdef|host|....
2019-01-23T14:22:59+01:00 host alertd[456789]: abc_send(): ......

I have tried the following configuration on the Indexer, but it didn't work:

props.conf
[source::C:\Users\test\testsource.log]
TRANSFORMS-set = setnull,setparsing

transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (alertd[\d{1,6}]:\s\w{3}:)
DEST_KEY = queue
FORMAT = indexQueue

Thanks for your solutions.

vishaltaneja070 · ‎01-30-2019

Try this:
[source::C:\Users\test\testsource.log]
TRANSFORMS-set = setnull,setparsing

DMohn · ‎01-30-2019

I guess you are missing the escape characters for the square brackets here ...

 (alertd\[\d{1,6}\]\:\s\w{3}\:)

Also, you should make sure, every event will go through both transforms, so maybe modify your props like this:

 [source::C:\Users\test\testsource.log]
 TRANSFORMS-set1 = setnull
 TRANSFORMS-set2 = setparsing

Another option would be to use only a setnull transform, and make sure the regex from the setparsing does NOT match. This would be like so:

 ^((?!(alertd\[\d{1,6}\]\:\s\w{3}\:)).)*$

richgalloway · ‎01-30-2019

Have you tried TRANSFORMS-set = setparsing,setnull?

---
If this reply helps you, Karma would be appreciated.

Filter Events before Indexing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!