Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter event on splunk heavy forwarder?

anapat
New Member
‎05-20-2011 04:35 AM

I setup splunk heavy forwarder and splunk indexer.

I want to filter some event before indexed on splunk indexer.

*** Example log, i want to filter

2011-02-05 00:02:00,018 INFO [Cron_SendFaxNTF] - <BEGIN Send Notification Fax...>
2011-02-05 00:02:00,034 INFO [Cron_SendFaxNTF] - <BEGIN Send Notifications...>

I try to config both indexer and forwarder but not work!!!

*** props.conf

[iCIS_log]
TRANSFORMS-icisLog = icisLog-null

*** transforms.conf 

[icisLog-null]
REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sINFO.*
DEST_KEY = queue
FORMAT = nullQueue

Help me please !!!!

Tags (3)
0 Karma
Reply

ftk
Motivator
‎05-20-2011 05:30 AM

In your inputs.conf, do you have your monitor set to the correct sourcetype (iCIS_log)?

Possibly tune your REGEX as such: ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d{3}\s+INFO

0 Karma
Reply

anapat
New Member
‎05-21-2011 02:42 AM

Yes, I monitor sourcetype "iCIS log" and try to config both indexer and forwarder

I'll test with your regex. And i'll update result later.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...
li.common.scroll-to.top