Getting Data In

I need a help in props.conf and transforms.conf

Path Finder

Hi,

I am new to splunk. Need some help in log filtering. I have below example log:
p 12 02:04:55 xxx,[DEFAULTLOG] 2019-09-12 02:04:52,066 xxxxxxxxxxxxx
Sep 12 02:04:55 xxx,[AUDIT
LOG] 2019-09-12 02:04:51,309 xxxxxxxxx
Sep 12 02:04:55 xxx,[DEFAULTLOG] 2019-09-12 02:04:51,904 xxxxxxx
p 12 02:04:55 xxx,[AUTH
LOG] 2019-09-12 02:04:52,066 xxxxxxxxxxx

I need to get only AUDITLOG and AUTHLOG entry. How to write props and transforms confic file for this.

Thanks

0 Karma
1 Solution

Ultra Champion

Have a look at this page in docs: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...

For your case, that would look something like this:

props.conf:

[yoursourcetypehere]
TRANSFORMS-set= my-setnull,my-setparsing

transforms.conf:

[my-setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[my-setparsing]
REGEX = \[AUDIT_LOG\]|\[AUTH_LOG\]
DEST_KEY = queue
FORMAT = indexQueue

View solution in original post

0 Karma

Ultra Champion

Have a look at this page in docs: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...

For your case, that would look something like this:

props.conf:

[yoursourcetypehere]
TRANSFORMS-set= my-setnull,my-setparsing

transforms.conf:

[my-setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[my-setparsing]
REGEX = \[AUDIT_LOG\]|\[AUTH_LOG\]
DEST_KEY = queue
FORMAT = indexQueue

View solution in original post

0 Karma

Path Finder

Hi FrankVI,

It worked thanks.

0 Karma