Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter out lines that start with #

mlevsh
Builder
‎11-17-2021 01:08 PM

We have logs , where first few lines start with "#" and we don't need to ingest these lines. 

We tired to use different methods , that didn't work. Appreciated the help/ideas from splunkers:

1st idea: use PREAMBLE_REGEX = ^#.* in props.conf  on Heavy Forwarders where data are being parsed

2nd idea : use TRANSFORMS-null = setnull in props.conf  and transforms.conf
on Heavy Forwarders where data are being parsed

transforms.conf:
[setnull]
REGEX = ^#.*
DEST_KEY = queue
FORMAT = nullQueue

example of log:


#-----------------------------------------
#DATE CREATED:  11/02/2021@04:16
#SUBJECT:       REPORT ON THE GENERAL STATUS OF AUTOSYS JOBS
#ENVIRONMENT:   CBA
#-----------------------------------------

11/02/2021@04:16,CBA,OTHER,CBA_CLIENT_REPORT_BOX,OI
11/02/2021@04:16,CBA,OTHER,CBA_copy_file_job,OI
11/02/2021@04:16,CBA,OTHER,CBA_ABC_SCHEDULER_BOX,OI
11/02/2021@04:16,CBA,OTHER,CBA_ABC_REPORT_BOX,OI

Labels (2)
Labels
Tags (1)
0 Karma
Reply

bhargavi
Path Finder
‎11-17-2021 09:42 PM

Hi @mlevsh 

Try this for preamble_regex. It works.

PREAMBLE_REGEX=#

bhargavi_0-1637214105272.png

 

If this helps, give thumbs-up 🙂

Happy Splunking!!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-17-2021 01:29 PM

Hash is a character used for comments both in your logs and splunk config files. You might try escaping it.

0 Karma
Reply

mlevsh
Builder
‎11-17-2021 03:54 PM

Hi PickleRick,

Thank you for suggestion. Unfortunately , it didn't work

 

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...