Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to apply two levels of filtering during parsing in heavy forwarder?

meenal901
Communicator
‎08-18-2014 12:00 AM

I have data on which i want to apply 2 level of filtering before indexing
Let the complete data set be called A

Level1 : On complete data i want to keep only events that match some defined patterns ( regular expressions ) ( let the group of pattern be called as B )
So resulting pattern should be A - B

Level 2 : On the filtered events , i want to reject specified defined patterns and KEEP the remaining one ( Let the patterns be called C )

Result should be A - B - C
All this should happen during parsing stage only

0 Karma
Reply

MuS
Legend
‎08-18-2014 12:20 AM

Hi meenal901,

see the docs about filter event data and send to queue for some good examples on this topic.
Create a nullQueue transform for B and a second for C and it should work for you.

cheers, MuS

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...
Top