Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Filter data and Extract field before indexed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter data and Extract field before indexed
To avoid over index usage, I want to filter before it indexed and I also want extract field before indexed as well.
As of now, I am trying to configure extract field, so later based on field values I can filter data.
Following is my configuration, I don't why props.conf and transforms.conf isn't working.
Configuration on Splunk Universal Forward is as follow:
[monitor://C:\myfoler\mylogfile.log]
disabled = false
index = test_index
sourcetype = Logfile
Splunk Indexer configuration is as follow:
cat $SPLUNK_HOME/etc/system/local/props.conf
[source:://C:\\myfoler\\mylogfile.log]
TRANSFORMS-MyLOG = MyLOG
cat $SPLUNK_HOME/etc/system/local/transforms.conf
[MyLOG]
DEST_KEY = _raw
REGEX = (?<MyType>\w+)\s+\|\s+jvm\s+1\s+\|\s+(?<Date>\d+\/\d+\/\d+)\s+(?<Time>\d+\:\d+\:\d+)\s+\|\s+(?<EventTimeStamp>.*)-\s+(?<Message>.*)
FORMAT = $1 $2 $3 $4 $5
Regex is working perfectly fine when I use this in splunk search.
Please also guide, how I can filter data, for example
if fieldx == Value1 // Index this data
if fieldx == Value2 // Drop this data
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this instead:
[source:://C:\\myfoler\\mylogfile.log]
SEDCMD-trim_raw = s%\(\w+\)\s+\|\s+jvm\s+1\s+\|\s+\(\d+\/\d+\/\d+\)\s+\(\d+\:\d+\:\d+\)\s+\|\s+\(.*\)-\s+\(.*\)%\1 \2 \3 \4 \5%
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used following configuration but I was getting error when i restart Splunk Enterprise.
cat etc/system/local/transforms.conf
[MyLOG]
DEST_KEY = _raw
SEDCMD-trim_raw = s%\(\w+\)\s+\|\s+jvm\s+1\s+\|\s+\(\d+\/\d+\/\d+\)\s+\(\d+\:\d+\:\d+\)\s+\|\s+\(.*\)-\s+\(.*\)%\1 \2 \3 \4 \5%
FORMAT = $MyType $Data $Time $EventTimeStamp $Message
Error is as following:
Invalid key in stanza [fMyLOG] in $SPLUNK_HOME/etc/system/local/transforms.conf, line 3: SEDCMD-trim_raw (value: s%\(\w+\)\s+\|\s+jvm\s+1\s+\|\s+\(\d+\/\d+\/\d+\)\s+\(\d+\:\d+\:\d+\)\s+\|\s+\(.*\)-\s+\(.*\)%\1 \2 \3 \4 \5%).
Am I doing something wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you do not need the DEST_KEY, nor the FORMAT; you only need the single SEDCMD line under the stanza header and it needs to be in props.conf, not transforms.conf. It needs to be deployed to your Indexers and all Splunk instances restarted there. This will only effect events which are indexed AFTER the restarts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think your main problem is that you are trying to do this on the UF. It needs to be done using a heavy forwarder or on the indexer.
For filtering take a look at Filter event data and send to queues in the documentation
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response.
Using UF, I am just forwarding logs.
props.conf and transforms.conf are placed on indexer (Splunk Enterprise).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
