Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter & Ingest Data

Karthikeyan
Engager
‎08-17-2021 08:22 AM

Hi Experts,

I have specific requirement to split the contents of a file and ingest it as a separate events. In that events, a filter to be applied and ingest the filtered data to Splunk indexer.

I have created a REGEX pattern which split the contents of the file and ingesting the data in to separate events as desired. Now, my issue is with the filtering of ingested data. In each event, I need to filter fro AGGREGATED_EXECUTION and ingest only the event which has that content. I set the configuration as below.

props.conf:
[expensive_statements]
TRANSFORMS-set= send_events

 

transforms.conf:
[send_events]
REGEX = AGGREGATED_EXECUTION
DEST_KEY = queue
FORMAT = indexQueue

 

Above settings is made on HF. Still the filtering is not happening as expected. Kindly help in resolving the issue with filtering.

 

Regards, Karthikeyan.SV

Labels (3)
0 Karma
Reply

shivanshu1593
Builder
‎08-19-2021 09:13 AM

Instead of re-starting splunkd on the search head, try restarting the splunkd service on the Heavy Forwarder, where the changes have been made and then check if the results are effective.

 

If not, btool can tell if the configuration is really being loaded in the memory or not. 

Thanks,

****If it helped, please upvote and accept it as a solution. It helps others to find the solution more quickly in the future****

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

Karthikeyan
Engager
‎08-19-2021 05:59 AM

I restarted SH after making the changes. Still the new props is not effected.

0 Karma
Reply

codebuilder
Influencer
‎08-18-2021 11:52 AM

Did you either restart the SHC/SH after making the changes?

Or you can run the following in the search bar to get the same results:

|rest /services/authentication/users splunk_server=local

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...