Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter data out from Data Input

bahmed
New Member
‎04-16-2014 01:46 PM

Hi,

I have spent last 2 hours searching for this simple scenario on Splunk Answers, without any luck.
Here is the case.

  • Splunk 6.0.2 (Trial version)
  • OS : Windows 7, 64 Bit
  • Data Input : A Log4J file on my local computer

Requirement : Just want to index events which contains the string "[ERROR ]", in my indexer.

Any help will be greatly appreciated.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-16-2014 02:24 PM

Setup those type of filters at the indexer level :
You can use a rule based on the sourcetype, and a matching regex based on the event.
You can test your regex on sample events with the "rex" command in splunk before to make sure.

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even...

Reply

bahmed
New Member
‎04-23-2014 02:05 PM

For the new events, all of them are getting indexed including the one contains "Error".

I have restarted the Splunk on my local machine.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-23-2014 12:00 PM

This looked correct, What is the current behavior when you index new events :

  • all events are dropped the nullQueue (with or without the [ERROR] keyword)
  • all events are indexed ?
  • a mix of both ?

did you restarted the indexers to apply the change ?

0 Karma
Reply

bahmed
New Member
‎04-23-2014 09:45 AM

Thanks yannK. I have changed the regular expression as per your point 1. No change in the result.

My props/transforms are in the following directory : C:\Program Files\Splunk\etc\system\local

Does that makes them on indexers.

Appreciate your help.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-22-2014 02:17 PM

1- [ and ] are regex keyword, you should escape them
REGEX = \[ERROR\]

2- make sure that those props/transforms are on the indexers (not on universal or lightweight forwarders only)

0 Karma
Reply

bahmed
New Member
‎04-22-2014 01:59 PM

Based on the article, I set the following files as shown, but still not getting the filtered log.

props.config

[MyVacationLog]
TRANSFORMS-set= myvacnull,myvacparsing

transforms.config

[myvacnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[myvacparsing]
REGEX = [ERROR]
DEST_KEY = queue
FORMAT = indexQueue

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...