Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter out parts of my sample log and only index a portion of the message for an event?

DuXa
New Member
‎05-28-2015 03:36 AM

I have a log with a long message. i need to cut it from A to B and, if it possible, not to show other events to work faster. Here is an example of my log file.
I need my event from: 81503| main: number of bytes received: 467 to 1| msgsnd_w_retry [dst task: HOST, time: 27/03/2011 09:46:44.0512]: Send msg to queue 34308098. I tried to use LINE_BREAKER, but I could not do it.

Task with ID = 11 is waiting for the message to arrive on the queue 34471943.
81503|  main: number of bytes received: 467
81503|  09:46:44 
81503|  main: Found message format 1.00
81503|  =>sv_msg2msgx_ent (tag_utils.c)
81503|  =>svm_dprint (sv_message.c     10.4)
81503|  svm_dprint: Message v1.00
umsgnum =   00750163    org_pid =   00000645
dest_pid =  00000000    timestamp_in =  1301204804
msg_size =  00000411    msgtype =   00001031
direction = 00000000    dev_proc_id =   00000004
org_dev_qid =   34340867    81503|  BITS: 81503|  
81503|  [0x600fffffffef67a8] SVT_CARD_NUM       l0016:  STR: 6774889148194829
81503|  [0x600fffffffef67ba] SVT_UTRANSNO       l0004:  INT: 750163
81503|  [0x600fffffffef67c0] SVT_SV_TRACE       l0004:  INT: 750163
81503|  [0x600fffffffef67c6] SVT_DEVINFO        l0002:  STR: 00
81503|  [0x600fffffffef67ca] SVT_FINTRAN        l0001:  HEX: 01
..................................................
1|  msgx_ent2sv_msg: bptr: 0x600fffffffef5337, buf: 0x600fffffffef5140, *bufsize: 00000495d, hdr->msg_size: 00000439d
1|  msgx_ent2sv_msg() = 1, buf_len = 495
1|  msgsnd_w_retry [dst task: HOST, time: 27/03/2011 09:46:44.0512]: trying to send 495d bytes to target queue 34308098
1|  msgsnd_w_retry [dst task: HOST, time: 27/03/2011 09:46:44.0512]: Send msg to queue 34308098
1|  =>txrout_proc_state_table_status (tserv.c)
1|  txrout_proc_state_table_status: new state is: 1
1|  =>txrout_free_event (tserv.c)
1|  =>COMMIT_WORK (db_login.pc)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-28-2015 04:50 PM

Using LINE_BREAKER has nothing to do with it. You need to make your forwarder a Heavy Forwarder and the do the stuff here:
http://networkerslog.blogspot.com/2012/01/how-to-filter-unwanted-data-without.html

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...