Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do i index only specific lines from my log file?

Ashwini008
Builder
‎03-17-2021 01:13 AM

Hi,

I have the  log file,i need to search the part of line in bold(which as only EmployeeServices/com) and index only that whole line in my index?

How do i write regex to capture only the lines in bold?please help me with props.conf and transform.con

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-17-2021 01:31 AM

Hi @Ashwini008,

one quick question: is each row a separate event or a part of an event that contains all the rows?

If each row is an event, you can discard the other rows following the steps at https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Keep_specific_even... in few words, you have to configure your props.conf and tranforms.conf on your Indexers or (if present) Heavy Forwarders adding the following rows in an App:

in props.conf

[your_sourcetype]
TRANSFORMS-set= setnull,setparsing

in transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = EmployeeServices\/com\)
DEST_KEY = queue
FORMAT = indexQueue

Ciao.

Giuseppe

 

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Manual Instrumentation with Splunk Observability Cloud: The What and Why

If you've ever worked with distributed systems, you’ve likely felt the pain of a frontend throwing errors, ...

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and Splunk ES Protecting a ...

It's Customer Success Time at .conf25

Hello Splunkers,   Ready for .conf25? The customer success and experience team is and can’t wait to see you ...
Top