Getting Data In

How can I debug my logs and whitelist a word?

guru865
Path Finder

Hi Everyone.

How to discard all the debug logs for a sourcetype and whitelist a word "AuthIDDetection" whenever this comes in events from sourcetype

Please, could someone help with this --- I have sourcetype "xyz" to which I am discarding keyword "debug" from the events, we are discarding all the debug logs. I would like to discard all the debug logs for sourcetype -- xyz and whitelist a word "AuthIDDetection" whenever this comes in events from sourcetype "xyz" from the same debug logs.

current props.conf --

[sourcetype-xyz]
TRANSFORMS-set=xyz-setnull,setparsing

transforms.conf --

[xyz-setnull]
REGEX= debug|\\|Notice
DEST_KEY=queue
FORMAT=nullQueue

Could you please help with this.

FYI , Am following this documentation - http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events...

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Try this:

Props:
[sourcetype-xyz]
TRANSFORMS-AAA=xyz-whitelist
TRANSFORMS-ZZZ=xyz-setnull

Transforms:
[xyz-whitelist]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue

[xyz-setnull]
REGEX= debug|\|Notice
DEST_KEY=queue
FORMAT=nullQueue

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try this:

Props:
[sourcetype-xyz]
TRANSFORMS-AAA=xyz-whitelist
TRANSFORMS-ZZZ=xyz-setnull

Transforms:
[xyz-whitelist]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue

[xyz-setnull]
REGEX= debug|\|Notice
DEST_KEY=queue
FORMAT=nullQueue

0 Karma

guru865
Path Finder

Thanks @jkat54 for the inputs . Sure , i will check this as well . Also could you please suggest the below written transforms.conf in tandem with props.conf. Can i use setparsing stanza instead of white list in transforms.conf

Props :

[xyz_server]
TRANSFORMS-set= xyz-setnull,setparsing
pulldown_type = true
MAX_EVENTS = 20000

transforms.conf

[xyz-setnull]
REGEX = debug|Notice
DEST_KEY = queue
FORMAT = nullQueue

[xyz-setparsing]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue
.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Your example would send everything to setnull first...

do this instead:
TRANSFORMS-set= xyz-setparse,xyz-setnull

My example had it reversed but I corrected it.

0 Karma

jkat54
SplunkTrust
SplunkTrust

After the chat on slack, here's what you need for your regex and you only need one transforms.

.*\<Notice\>((?!AuthID).)*$

guru865
Path Finder

Thanks alot @jkat54 . Yes this works . Setting this to nullQueue does the work

transforms.conf

 [xyz-setnull]
 REGEX =  .*\((?!AuthID).)*$
   DEST_KEY = queue
 FORMAT = nullQueue
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...