Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter data out from Data Input

bahmed
New Member
‎04-16-2014 01:46 PM

Hi,

I have spent last 2 hours searching for this simple scenario on Splunk Answers, without any luck.
Here is the case.

  • Splunk 6.0.2 (Trial version)
  • OS : Windows 7, 64 Bit
  • Data Input : A Log4J file on my local computer

Requirement : Just want to index events which contains the string "[ERROR ]", in my indexer.

Any help will be greatly appreciated.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-16-2014 02:24 PM

Setup those type of filters at the indexer level :
You can use a rule based on the sourcetype, and a matching regex based on the event.
You can test your regex on sample events with the "rex" command in splunk before to make sure.

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even...

Reply

bahmed
New Member
‎04-23-2014 02:05 PM

For the new events, all of them are getting indexed including the one contains "Error".

I have restarted the Splunk on my local machine.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-23-2014 12:00 PM

This looked correct, What is the current behavior when you index new events :

  • all events are dropped the nullQueue (with or without the [ERROR] keyword)
  • all events are indexed ?
  • a mix of both ?

did you restarted the indexers to apply the change ?

0 Karma
Reply

bahmed
New Member
‎04-23-2014 09:45 AM

Thanks yannK. I have changed the regular expression as per your point 1. No change in the result.

My props/transforms are in the following directory : C:\Program Files\Splunk\etc\system\local

Does that makes them on indexers.

Appreciate your help.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-22-2014 02:17 PM

1- [ and ] are regex keyword, you should escape them
REGEX = \[ERROR\]

2- make sure that those props/transforms are on the indexers (not on universal or lightweight forwarders only)

0 Karma
Reply

bahmed
New Member
‎04-22-2014 01:59 PM

Based on the article, I set the following files as shown, but still not getting the filtered log.

props.config

[MyVacationLog]
TRANSFORMS-set= myvacnull,myvacparsing

transforms.config

[myvacnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[myvacparsing]
REGEX = [ERROR]
DEST_KEY = queue
FORMAT = indexQueue

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...