Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I filter out HTTP 301 and 302 on a linux Heavy forwarder so that it doesn't forward those logs to the cloud indexer

eosi
New Member
‎07-21-2016 03:00 AM

I am new to Splunk and can see previous post for filtering out Security logs. Please would anyone be able to help with filtering out certain HTTP traffic?

Tags (3)
0 Karma
Reply

michael_sleep
Communicator
‎07-22-2016 11:55 AM

Post some sample data and we can give you some working regex to go with it.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-22-2016 12:00 AM

from the document, To discard specific events and keep the rest
This example discards all sshd events in /var/log/messages by sending them to nullQueue:

  1. In props.conf, set the TRANSFORMS-null attribute:

[source::/var/log/messages]
TRANSFORMS-null= setnull
2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = [sshd]
DEST_KEY = queue
FORMAT = nullQueue
That does it.

could you please update us the http error log and few 301 and 302 sample messages

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

woodcock
Esteemed Legend
‎07-21-2016 07:43 AM

Read up on the basic tenchique here (it is pretty strightforward):

http://docs.splunk.com/Documentation/Splunk/6.1.5/Forwarding/Routeandfilterdatad

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...