Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I debug my logs and whitelist a word?

guru865
Path Finder
‎08-29-2017 02:30 PM

Hi Everyone.

How to discard all the debug logs for a sourcetype and whitelist a word "AuthIDDetection" whenever this comes in events from sourcetype

Please, could someone help with this --- I have sourcetype "xyz" to which I am discarding keyword "debug" from the events, we are discarding all the debug logs. I would like to discard all the debug logs for sourcetype -- xyz and whitelist a word "AuthIDDetection" whenever this comes in events from sourcetype "xyz" from the same debug logs.

current props.conf --

[sourcetype-xyz]
TRANSFORMS-set=xyz-setnull,setparsing

transforms.conf --

[xyz-setnull]
REGEX= debug|\\|Notice
DEST_KEY=queue
FORMAT=nullQueue

Could you please help with this.

FYI , Am following this documentation - http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-29-2017 04:18 PM

Try this:

Props:
[sourcetype-xyz]
TRANSFORMS-AAA=xyz-whitelist
TRANSFORMS-ZZZ=xyz-setnull

Transforms:
[xyz-whitelist]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue

[xyz-setnull]
REGEX= debug|\|Notice
DEST_KEY=queue
FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-29-2017 04:18 PM

Try this:

Props:
[sourcetype-xyz]
TRANSFORMS-AAA=xyz-whitelist
TRANSFORMS-ZZZ=xyz-setnull

Transforms:
[xyz-whitelist]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue

[xyz-setnull]
REGEX= debug|\|Notice
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Reply
Solved! Jump to solution

guru865
Path Finder
‎08-30-2017 11:28 AM

Thanks @jkat54 for the inputs . Sure , i will check this as well . Also could you please suggest the below written transforms.conf in tandem with props.conf. Can i use setparsing stanza instead of white list in transforms.conf

Props :

[xyz_server]
TRANSFORMS-set= xyz-setnull,setparsing
pulldown_type = true
MAX_EVENTS = 20000

transforms.conf

[xyz-setnull]
REGEX = debug|Notice
DEST_KEY = queue
FORMAT = nullQueue

[xyz-setparsing]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue
.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-30-2017 11:48 AM

Your example would send everything to setnull first...

do this instead:
TRANSFORMS-set= xyz-setparse,xyz-setnull

My example had it reversed but I corrected it.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-31-2017 01:04 PM

After the chat on slack, here's what you need for your regex and you only need one transforms. 

.*\<Notice\>((?!AuthID).)*$
Reply
Solved! Jump to solution

guru865
Path Finder
‎08-31-2017 03:13 PM

Thanks alot @jkat54 . Yes this works . Setting this to nullQueue does the work

transforms.conf

 [xyz-setnull]
 REGEX =  .*\((?!AuthID).)*$
   DEST_KEY = queue
 FORMAT = nullQueue
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...