Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Want to forward selective portion of the log file by forwarder to indexer

somnathnag
Engager
‎03-01-2012 03:19 PM

Hello :
What I have to set in inputs.conf or outputs.conf of the forwarder so that I can send selective portion of the application log file to indexer. At present our setup forwards the whole log file - which we don't need and this is hurting the network performance also.
Thanks
Somnath

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 07:01 PM

Take a look at the following in the manual

Perform selective indexing and forwarding

You can filter the data in two different places:

  • Option 1: Filter on the indexer(s). This is the recommendation when you are filtering less than 50% of the data. Why? Because by filtering on the indexer(s), you can use the Universal Forwarder on the production systems.
  • Option 2: Filter on the forwarders. This requires that you use the heavy forwarder instead of the Universal Forwarder, and it will take some processing cycles on the production systems. Still, this may be the best choice if you are seeing network performance issues, or if you are filtering out more than 50% of the data.

The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.

View solution in original post

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2012 03:07 PM

Example: Assume that the data you want to filter is in a file named big.log. (Note that in real life, you would have to provide the full path.)

You want to eliminate any lines that have the word INFO or WARN.

In the configuration file $SPLUNK_HOME\etc\system\local\props.conf

[source::big.log]
TRANSFORMS-t1 = filterEvents

In the configuration file $SPLUNK_HOME\etc\system\local\transforms.conf

[filterEvents]
REGEX = (?:INFO|WARN)
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 07:01 PM

Take a look at the following in the manual

Perform selective indexing and forwarding

You can filter the data in two different places:

  • Option 1: Filter on the indexer(s). This is the recommendation when you are filtering less than 50% of the data. Why? Because by filtering on the indexer(s), you can use the Universal Forwarder on the production systems.
  • Option 2: Filter on the forwarders. This requires that you use the heavy forwarder instead of the Universal Forwarder, and it will take some processing cycles on the production systems. Still, this may be the best choice if you are seeing network performance issues, or if you are filtering out more than 50% of the data.

The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.

Reply
Solved! Jump to solution

somnathnag
Engager
‎03-02-2012 07:46 AM

Thanks a lot.
Probably we would go with the heavy forwarder. I looked into your attached document - couldn't figure out the configuration for selective event forwarding. Can you please provide a sample configuration file ?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...