Collect specific rows of a trace file

avitallange · ‎08-01-2013

Hi,

Is it possible to collect specific rows of a trace file?

I have one trace file that contains Info traces and Error traces.
I'd like Splunk to collect only the error lines.

For example, below are 2 rows in the trace file:

Time: 07/31/2013 10:35:30, Content: MyInfoMessage, Severity: Information

Time: 07/31/2013 10:45:30, Content: MyInfoMessage, Severity: Error

I'd like to collect with Splunk the second line only, the one that contains "Severity: Error"

Is thre any idea how to do this?

sowings · ‎08-01-2013

The usual way to do this would be to prompt Splunk to drop the messages that are "Severity: Information". This is done with a parse-time transform to set the _queue metadata field for that event to nullQueue. An example is shown below. The assumption is that your sourcetype for the data is "my_sourcetype".

props.conf

[my_sourcetype] TRANSFORMS-0_null_queue = drop_information_messages

transforms.conf

[drop_information_messages] REGEX = Severity:\sInformation DEST_KEY = queue FORMAT = nullQueue

See transforms.conf and look for nullQueue.

Collect specific rows of a trace file

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

Collect specific rows of a trace file

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA