Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way in Splunk Web to not import certain events?

splunk2day
Explorer
‎07-05-2018 02:05 PM

I'm trying import an xml and using Line_breakers and such I could get clean events that have my data of interest. Rest of the xml tags (broken events) I want to get rid of during import. Is there a way to do this?! Thanks!

Tags (1)
0 Karma
Reply

niketn
Legend
‎07-06-2018 04:02 AM

@splunk2day give us more detail of your XML data. Since this kind of filtering will be based on Regular Expression we would need the sample of XML to find start and end pattern of data to index and data to drop from the same event.

Refer to the following Documentation to Discard specific events and keep the rest and Keep specific events and discard the rest

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

splunk2day
Explorer
‎07-09-2018 02:33 PM

Thanks! While this does . provide some inkling, it's not a complete solution as I'm using the web and not entirely sure how this applies to the web, during manual import. My xml data looks like below -

I'm only interested in the part between the attributes tags, rest everything i want to filter out. I'm able to break it into meaningful events for me and just looking for the filter out way to i can totally eliminate having to import the meta data.

*** . unable to post xml here - it all formats funny ****
hopefully this gives u some idea

metadata tags level 1
metadata tags level 2
metadata tags level 3
xml fragment of interested that i can extract
closing and reopening meta data tags to my data of interest can repeat that i want to get rid of for a cleaner event imports ..

0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2018 05:58 PM

You can easily post XML by pasting it, highlighting it and clicking on the 1010101 "code" button in the style/editor ribbon above your text window.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...