Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Want to forward selective portion of the log f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello :
What I have to set in inputs.conf or outputs.conf of the forwarder so that I can send selective portion of the application log file to indexer. At present our setup forwards the whole log file - which we don't need and this is hurting the network performance also.
Thanks
Somnath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at the following in the manual
Perform selective indexing and forwarding
You can filter the data in two different places:
- Option 1: Filter on the indexer(s). This is the recommendation when you are filtering less than 50% of the data. Why? Because by filtering on the indexer(s), you can use the Universal Forwarder on the production systems.
- Option 2: Filter on the forwarders. This requires that you use the heavy forwarder instead of the Universal Forwarder, and it will take some processing cycles on the production systems. Still, this may be the best choice if you are seeing network performance issues, or if you are filtering out more than 50% of the data.
The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Example: Assume that the data you want to filter is in a file named big.log. (Note that in real life, you would have to provide the full path.)
You want to eliminate any lines that have the word INFO or WARN.
In the configuration file $SPLUNK_HOME\etc\system\local\props.conf
[source::big.log]
TRANSFORMS-t1 = filterEvents
In the configuration file $SPLUNK_HOME\etc\system\local\transforms.conf
[filterEvents]
REGEX = (?:INFO|WARN)
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at the following in the manual
Perform selective indexing and forwarding
You can filter the data in two different places:
- Option 1: Filter on the indexer(s). This is the recommendation when you are filtering less than 50% of the data. Why? Because by filtering on the indexer(s), you can use the Universal Forwarder on the production systems.
- Option 2: Filter on the forwarders. This requires that you use the heavy forwarder instead of the Universal Forwarder, and it will take some processing cycles on the production systems. Still, this may be the best choice if you are seeing network performance issues, or if you are filtering out more than 50% of the data.
The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot.
Probably we would go with the heavy forwarder. I looked into your attached document - couldn't figure out the configuration for selective event forwarding. Can you please provide a sample configuration file ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
