Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filtering the log using REGEX

keshab
Path Finder
‎11-02-2011 08:34 AM

I have following log. What will be the REGEX to index log containing line the line 'tomcat' trying to restart and send rest to nullQueue??

[CDT Oct 27 09:31:44] info : 'tomcat' trying to restart
[CDT Oct 27 09:31:44] info : 'tomcat' start: /sbin/service
[CDT Oct 27 09:33:44] info : 'tomcat' process is running with pid 20021
[CDT Oct 27 12:13:44] error : 'tomcat' process PID changed to 6908
[CDT Oct 27 12:15:44] info : 'tomcat' PID has not changed
[CDT Oct 27 14:30:04] info : unmonitor service 'tomcat' on user request
[CDT Oct 27 14:30:04] info : monit daemon at 13351 awakened
[CDT Oct 27 14:30:04] info : Awakened by User defined signal 1
[CDT Oct 27 14:30:15] info : restart service 'tomcat' on user request
[CDT Oct 27 14:30:15] info : monit daemon at 13351 awakened
[CDT Oct 27 14:30:15] info : Awakened by User defined signal 1
[CDT Oct 27 14:30:15] info : 'tomcat' trying to restart
[CDT Oct 27 14:30:15] info : 'tomcat' stop: /sbin/service
[CDT Oct 27 14:30:43] info : 'tomcat' start: /sbin/service
[CDT Oct 27 14:31:43] error : 'tomcat' failed to start
[CDT Oct 27 14:32:43] error : 'tomcat' process is not running
[CDT Oct 27 14:32:43] info : 'tomcat' trying to restart
[CDT Oct 27 14:32:43] info : 'tomcat' start: /sbin/service
[CDT Oct 27 14:32:44] info : 'tomcat' started

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-02-2011 12:04 PM

According to the docs if you want data to be sent to the null queue than you have to call your stanza in the transforms.conf setnull, ie:

props.conf

[yoursourcetype]
TRANSFORMS-set = setnull, setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \'tomcat\' trying to restart
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

Ayn
Legend
‎11-02-2011 12:46 PM

The transform doesn't have to be called "setnull", it's just what's used in the examples. You can call the transform anything, the only thing that matters is that it has any name so that there is something to refer to it by in props.conf.

0 Karma
Reply

Ayn
Legend
‎11-02-2011 08:41 AM

First define a nullqueue transform, then another one to override it in the specific case where the event contains "'tomcat' trying to restart". Have a look at this topic in the docs: http://docs.splunk.com/Documentation/Splunk/4.1.5/Admin/Routeandfilterdata#Keep_specific_events_and_...

This should work:

props.conf:

[yoursourcetype]
TRANSFORMS-set= defaultnull,tomcatrestart

transforms.conf:

[defaultnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[tomcatrestart]
REGEX = 'tomcat' trying to restart
DEST_KEY = queue
FORMAT = indexQueue
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...