Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter data out from Data Input

bahmed
New Member
‎04-16-2014 01:46 PM

Hi,

I have spent last 2 hours searching for this simple scenario on Splunk Answers, without any luck.
Here is the case.

  • Splunk 6.0.2 (Trial version)
  • OS : Windows 7, 64 Bit
  • Data Input : A Log4J file on my local computer

Requirement : Just want to index events which contains the string "[ERROR ]", in my indexer.

Any help will be greatly appreciated.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-16-2014 02:24 PM

Setup those type of filters at the indexer level :
You can use a rule based on the sourcetype, and a matching regex based on the event.
You can test your regex on sample events with the "rex" command in splunk before to make sure.

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even...

Reply

bahmed
New Member
‎04-23-2014 02:05 PM

For the new events, all of them are getting indexed including the one contains "Error".

I have restarted the Splunk on my local machine.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-23-2014 12:00 PM

This looked correct, What is the current behavior when you index new events :

  • all events are dropped the nullQueue (with or without the [ERROR] keyword)
  • all events are indexed ?
  • a mix of both ?

did you restarted the indexers to apply the change ?

0 Karma
Reply

bahmed
New Member
‎04-23-2014 09:45 AM

Thanks yannK. I have changed the regular expression as per your point 1. No change in the result.

My props/transforms are in the following directory : C:\Program Files\Splunk\etc\system\local

Does that makes them on indexers.

Appreciate your help.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-22-2014 02:17 PM

1- [ and ] are regex keyword, you should escape them
REGEX = \[ERROR\]

2- make sure that those props/transforms are on the indexers (not on universal or lightweight forwarders only)

0 Karma
Reply

bahmed
New Member
‎04-22-2014 01:59 PM

Based on the article, I set the following files as shown, but still not getting the filtered log.

props.config

[MyVacationLog]
TRANSFORMS-set= myvacnull,myvacparsing

transforms.config

[myvacnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[myvacparsing]
REGEX = [ERROR]
DEST_KEY = queue
FORMAT = indexQueue

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...