Getting Data In

How to configure props.conf and transforms.conf to filter events with LogLevel=INFO to nullQueue?

Norling80
Path Finder

Hi guys.

I have a JBoss ServerLog that contains events with the following LogLevels:
INFO
WARNING
ERROR
SEVERE

I don't want to index events with LogLevel=INFO, how should my props.conf and transforms.conf look like?

1 Solution

gfuente
Motivator

Thanks

Then you can use this config:

props.conf:

[yourjbosssourcetype]
 TRANSFORMS-info=eliminate-info

transforms.conf

[eliminate-info]
 REGEX=\d*\sINFO\s\[
 DEST_KEY=queue
 FORMAT=nullQueue

Regards

View solution in original post

gfuente
Motivator

Thanks

Then you can use this config:

props.conf:

[yourjbosssourcetype]
 TRANSFORMS-info=eliminate-info

transforms.conf

[eliminate-info]
 REGEX=\d*\sINFO\s\[
 DEST_KEY=queue
 FORMAT=nullQueue

Regards

Norling80
Path Finder

Worked like a charm, with a minor update to the regex:

REGEX=\d*\sINFO\s+\[

Thanks you very much!

gfuente
Motivator

Is would be useful if you add some sample events, as is needed to define a regex to filter out those events

regards

Norling80
Path Finder

Sure, here you go. LogLevels in bold:

2015-03-05 09:49:45,994 +0100 INFO org.apache.cxf.services.ServerService.ServerPort.Server Inbound Message
2015-03-05 09:49:45,227 +0100 INFO LOG_gamings.system.GameServlet Redirecting the request from Game : gamename_mobile_html_sw to new game flow
2015-03-05 06:35:14,808 +0100 ERROR org.jboss.as.ejb3 javax.ejb.EJBTransactionRolledbackException:

0 Karma

ppablo
Retired

Hi @Norling80

Just wanted to follow up and see if @gfuente's answer below solved your question. If yes, don't forget to accept his answer and upvote it. Thanks!

Patrick

Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...