Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter portions of multi-line logs using a Heavy Forwarder

Raghav2384
Motivator
‎03-23-2015 05:46 AM

Hello Experts, I had posted the same question couple of days ago and had to re-post because of the formatting issues. We are consuming certain logs with DEBUG level but realized only a portion of those we need to index. We have decided to extract those required portions and discard rest of the stuff. These are logs averaging 50 lines per event. I just want to make sure we do it right the first time as the usage is pretty deep and do not want to interrupt. Here's a sample log

172.18.232.85 [2015-03-04 15:20:25,083] ===============================================
POLICY RESULT ERROR: Unable to authorize session - no authorization result found
Key1 = value1
Key2 = Value2
Key3 = Value3
Key4 = Value4
Key5 = Value5
Key6 = Value6
Key7 = Value7
Key8 = Value8
Key9 = Value9
DEBUG MSGS:
INFO : (core) Tagging message with ID: Important Stuff here
INFO : (radius) RADIUS device group assigned to: Phoenix
INFO : (radius) Loading session by the audit session id: XYZ
INFO : (core) Lock obtained on key: auditSessionId:ab1234bcngd
INFO : (core) Start session triggered
INFO : (radius) Radius usage reported 123456
INFO : (radius) Found generic location parameter ssid/DomainID
INFO : (radius) Found generic location parameter ap_mac/12-23-45-67-89
INFO : (location) Using generic ssid\XYZABC for location lookup.
INFO : (location) Using generic ap_mac\12-23-45-67-89 for location lookup.
INFO : (location) Location found for generic matching: ssid\DomainID
WARN : (auth) Failed USUM_AUTHORIZATION no password found for user
WARN : (core) Removing session since no authorization result found
WARN : (service) Stopping creation since the session has no services
INFO : (balance) Error found, rolling back transaction

ERROR : (core) Error processing policy request: Unable to authorize session - no authorization result found

we do not want to index entire Debug...I just need to grab the fields/Text in Bold and send rest to the null Queue. All of these are multiline logs and i am not able to get close in achieving this. Appreciate any pointers

Thanks,
Raghav

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 03:58 PM

You can do it like this in your props.conf:

[MyBigFatSourcetype]
SEDCMD-slimfast = s/^INFO : (core) Start.*$// s/^INFO : (radius) Radius.*$// s/^INFO : (location).*$// s/^WARN :.*$// s/^INFO : (balance).*$//

This will definitely work but the downside is that, although the text will definitely be gone, I think it will leave blank line gaps in the raw events which may be distracting/confusing.

Reply

Raghav2384
Motivator
‎03-24-2015 08:41 AM

Any ideas?

0 Karma
Reply

somesoni2
Revered Legend
‎03-24-2015 09:38 AM

Is the format of the logs always same?? We need to identify patterns for which lines to retain and which lines to discard.

0 Karma
Reply

Raghav2384
Motivator
‎03-24-2015 09:59 AM

Yes, standard is, the pieces i want from debug portion remains same

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...