Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter strings of event before index

thinksplunk
Engager
‎09-24-2013 06:53 AM

Hi, as i'm new to using Splunk, i would like to know how to filter the string "2013-09-20 16:53:00, 231 Success transport" before it is index, how to do it and where to configure it? thks

2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent

2013-09-20 16:53:00, 231 Success transport

2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process

Tags (2)
0 Karma
Reply

JimDeich
Path Finder
‎11-04-2014 06:53 PM

It seems like the poster was just looking to remove PART of a log or event, but the answer given will remove the ENTIRE EVENT .

Reply

thinksplunk
Engager
‎09-30-2013 11:05 PM

correct, it is writing the right regex, as i mentioned i'm new in using Splunk, so not very sure how to write the right regex.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-30-2013 10:26 PM

Did you read the linked doc page? Given that you understand the basic principle of how routing events to the nullQueue works, it's just a question of writing the right regex.

0 Karma
Reply

thinksplunk
Engager
‎09-30-2013 07:41 PM

To be exact, i need to filter the string is "2013-09-20 16:53:34,374 INFO [Thread-2] [null:-1] Success. Connected to AB Server at 192.11.12.13:123.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-24-2013 07:07 AM

You can filter out events before they are indexed with the help of a so-called nullQueue transform. Please note that the regex below is pretty specific in order not to remove events you want to keep.

props.conf

[your_source_or_sourcetype]
TRANSFORM-blah = remove_success_transport

transforms.conf

[remove_success_transport]
REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sSuccess\stransport$
DEST_KEY = queue
FORMAT = nullQueue

For more info;

http://docs.splunk.com/Documentation/Splunk/5.0.5/Deploy/Routeandfilterdatad#Discard_specific_events...

/K

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...