ignore the raw event using heavy forworder

nerelluk · ‎06-15-2019

Hi ALL,

could anyone help use to parsing/trimming of the raw event using heavy forworders?

Plzz find the attached screenshot .i want to ignore the rest of the events except few tags that I was highlighted.

I request you to provide me proper configuration.

Thanks,
Nerellu

woodcock · ‎06-16-2019

As others have said, use SEDCMD and use capture groups to grab your stuff so it would look something like this:

SEDCMD-reduceraw = s/^firstSkipRegEx(firstCaptureRegEx)secondSkipRegEx(secondCaptureRegEx)thirdSkipRegEx(thirdCaptureRegEx).*$/\1,\2,\3/g

richgalloway · ‎06-16-2019

If the fields are always in the same order, you should be able to do it using SEDCMD. Add this line to your props.conf file:

SEDCMD-record = s/\<L:RECORD>.*?(\<L:EPOCH>.*?\<\/L:EPOCH>)[\S\s]+(\<L:MESSAGEID>.*?\<\/L:MESSAGEID>)[\S\s]+(\<L:TEXT>.*?\<\/L:TEXT>).*\<\/L:RECORD>/$1$2$3/

---
If this reply helps you, Karma would be appreciated.

jkat54 · ‎06-16-2019

See props.conf and SEDCMD.

If you're new to regular expression use regex101.com to help you build the correct regexes.

You will need the SEDCMD in props on the first "heavy" splunk that receives the data.

ignore the raw event using heavy forworder

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio