Solved: Filtration of logs during ingestion

anandhalagaras1 · ‎02-15-2021

Hi All,

I want to filter out the logs during the ingesting time itself so that if the keyword "GET / - 80" is present in the logs then it should not be ingested into Splunk but the rest of the logs should be ingested into Splunk. I will place the props and transforms in the Heavy Forwarder server so that during parsing it can filter out those logs.

Sample logs:

2021-02-15 13:04:28 xxx.xx.xxx.x GET / - 80 - xxx.xx.xx.x - - xxx x x xx

2021-02-15 13:04:27 xxx.xx.xxx.x GET / - 443 - xxx.xx.xx.x - - xxx x x xx

where "x" represents number IP's . So kindly help with the props and transforms.

The sourcetype is "abc".

manjunathmeti · ‎02-15-2021

You can match and send the logs containing "GET / - 80" to null queue.
transforms.conf

[nullq]
DEST_KEY = queue
REGEX = GET\s\/\s-\s80
FORMAT = nullQueue

props.conf

[sourcetype_name]
TRANSFORMS-nullq = nullq

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti · ‎02-15-2021

You can match and send the logs containing "GET / - 80" to null queue.
transforms.conf

[nullq]
DEST_KEY = queue
REGEX = GET\s\/\s-\s80
FORMAT = nullQueue

props.conf

[sourcetype_name]
TRANSFORMS-nullq = nullq

If this reply helps you, an upvote/like would be appreciated.

anandhalagaras1 · ‎02-16-2021

@manjunathmeti ,

Thank you it worked like a charm.

Filtration of logs during ingestion

props.conf

transforms.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!