Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- transforms filter
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
transforms filter
a212830
Champion
11-30-2013
10:26 AM
Hi,
I have a large logfile, but only want certain data. The data is very well structured:
timestamp|itemId|field1Name|field1Value|field2Name|field2Value...
1385832300000|325447|NormalizedCPUInfo|Utilization|3|CPU|IVEblah|CPU 1
1385832300000|358154|NormalizedCPUInfo|Utilization|1|CPU|FILBlah|CPU 5
1385832300000|330336|NormalizedMemoryInfo|Utilization|94|Memory|WCblah|Memory
1385832300000|326223|NormalizedCPUInfo|Utilization|3|CPU|wCblAH1|BlueCoat CPU3
1385832300000|326223|NormalizedCPUInfo|cpuIdleUtilization|97|CPU|iPS-sdf|BlueCoat CPU3
1385832300000|326223|NormalizedCPUInfo|cpuIdleUtilization|97|CPU|R7DALblh|BlueCoat CPU3
1385832300000|326223|NormalizedCPUInfo|cpuIdleUtilization|97|CPU|C29mmkabc|BlueCoat CPU3
I only want to report on certain devices, which is based on the 7th field.
My props.conf has the following entry:
TRANSFORMS-set = setnull,setparsing
And my transforms.conf has the following:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?:[^|]+|){6}(FIL|[Ww[Cc]|[Ii][Pp][Ss]|[Ii][Vv][Ee])
DEST_KEY = queue
FORMAT = indexQueue
I expect to only receive events that where the 7th field starts with FIL/WC/IPS..., yet I am receiving everything. Did I miss something? These entries are on the indexer, in a distributed environment (forward->indexer->sh).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
11-30-2013
12:42 PM
According to regexpal.com your regex matches this:
1385832300000|325447|NormalizedCPUInfo|Utilization|3|CPU|IVEblah|CPU 1
The matched parts are bold. The current regex is not using "|" correctly as or. Everything needs to be inside a single set of brackets.
If you want to match only the events you have specified then your regex will need to look more like this:
[setparsing]
REGEX = ^(\w+\|){6}[FIL|Ww|Cc|Ii|Pp|Ss|Ii|Vv|Ee]
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a212830
Champion
11-30-2013
05:18 PM
Never mind, got it! Thanks for all the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
11-30-2013
03:26 PM
I assume you restarted the instance and deployed this to the forwarder and indexer both?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a212830
Champion
11-30-2013
01:12 PM
Thanks, but that didn't work. I want only events where field 7 beings with FIL/WC/IPS and I'm still getting everything.
Get Updates on the Splunk Community!
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
