Is there a option to ingest application logs for o...

kiran331 · ‎06-12-2017

Hi

Is there a option to ingest the logs of only one process from the windows servers ignoring rest of the events?

maheshj · ‎06-13-2017

Hi Kiran,
Yes it's possible to do while ingesting the data.
Configure the event-level transformations on the indexer.

If an event contains the regex pattern (? pattern), then index the event to index1.
If an event contains the regex pattern (?! pattern), then do not index.

Note pattern will be your windows process

transforms.conf
[eventsRoute]
REGEX= (? pattern)
DEST_KEY = _MetaData:Index
FORMAT = <index1>

[eventsDrop]
REGEX = (?! pattern)
DEST_KEY = queue
FORMAT = nullQueue

props.conf
[Yoursourcetype]
TRANSFORMS-‐neglect = eventsDrop
TRANSFORMS-‐ingest = eventsRoute

Regards,
Mahesh

DalJeanis · ‎06-13-2017

... with the small note that the pattern for eventsDrop could be .*, to send EVERYTHING to the nullQueue unless it was later overridden by matching the pattern for eventsRoute.

Is there a option to ingest application logs for only one applicaiton(process) on teh windows servers?

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Join the Conversation

Is there a option to ingest application logs for only one applicaiton(process) on teh windows servers?

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?