Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

extracting from logs before indexing to server

dhs_harry08
Path Finder
‎07-27-2011 10:05 AM

Hi

Is there a way to extract a part of log event before it being indexed to splunk server for example
Below is the entire event.

====================
{ActiveMQ Session Task} DEBUG LogCollector - start[1311770824360] time[474] tag[card;cardCreation;cardCreation End] host[hagrid.hyd.wc;127.0.0.1]
{ActiveMQ Session Task} DEBUG PerfLoggerDAOImpl - getting ServiceOperationInfo
Hibernate: select serviceope1_.id as id2_, serviceope1_.service_id as service2_2_, serviceope1_.operation_name as operation3_2_, serviceope1_.operation_descr as operation4_2_, serviceope1_.status as status2_ from service_info serviceinf0_, service_operation_info serviceope1_ where serviceope1_.service_id=serviceinf0_.id and serviceinf0_.name=? and serviceope1_.operation_name=?
Hibernate: select serviceinf0_.id as id1_0_, serviceinf0_.name as name1_0_, serviceinf0_.description as descript3_1_0_, serviceinf0_.type as type1_0_, serviceinf0_.status as status1_0_ from service_info serviceinf0_ where serviceinf0_.id=?
{ActiveMQ Session Task} DEBUG PerfLoggerDAOImpl - saving TaskExecutionInfo instance
=============

But I want only to see this "start[1311770824360] time[474] host[hagrid.hyd.wc;127.0.0.1]" in my indexer and the rest of part should be ignored. the filtering to be done on the client side only.
Is this possible.
Regards,
Harish

0 Karma
Reply

dhs_harry08
Path Finder
‎07-28-2011 04:25 AM

I am actually using splunk forwarder. Is it possible to specify in splunk forwarding config files or write some script to filter out the my application logs.

Regards,
Harish

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎07-27-2011 09:55 PM

I'm going to presume that your source application is using log4j as its logging framework(because activemq uses log4j) , therefore you could declare a seperate log4j appender in your log4j config file that outputs only the log data you want to send to the Splunk Indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...