Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Filter strings of event before index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter strings of event before index
Hi, as i'm new to using Splunk, i would like to know how to filter the string "2013-09-20 16:53:00, 231 Success transport" before it is index, how to do it and where to configure it? thks
2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent
2013-09-20 16:53:00, 231 Success transport
2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like the poster was just looking to remove PART of a log or event, but the answer given will remove the ENTIRE EVENT .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correct, it is writing the right regex, as i mentioned i'm new in using Splunk, so not very sure how to write the right regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you read the linked doc page? Given that you understand the basic principle of how routing events to the nullQueue works, it's just a question of writing the right regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be exact, i need to filter the string is "2013-09-20 16:53:34,374 INFO [Thread-2] [null:-1] Success. Connected to AB Server at 192.11.12.13:123.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can filter out events before they are indexed with the help of a so-called nullQueue transform. Please note that the regex below is pretty specific in order not to remove events you want to keep.
props.conf
[your_source_or_sourcetype]
TRANSFORM-blah = remove_success_transport
transforms.conf
[remove_success_transport]
REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sSuccess\stransport$
DEST_KEY = queue
FORMAT = nullQueue
For more info;
/K
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
