Knowledge Management

Collect specific rows of a trace file

avitallange
Explorer

Hi,

Is it possible to collect specific rows of a trace file?

I have one trace file that contains Info traces and Error traces.
I'd like Splunk to collect only the error lines.

For example, below are 2 rows in the trace file:

Time: 07/31/2013 10:35:30, Content: MyInfoMessage, Severity: Information

Time: 07/31/2013 10:45:30, Content: MyInfoMessage, Severity: Error

I'd like to collect with Splunk the second line only, the one that contains "Severity: Error"

Is thre any idea how to do this?

Tags (2)
0 Karma

sowings
Splunk Employee
Splunk Employee

The usual way to do this would be to prompt Splunk to drop the messages that are "Severity: Information". This is done with a parse-time transform to set the _queue metadata field for that event to nullQueue. An example is shown below. The assumption is that your sourcetype for the data is "my_sourcetype".

props.conf


[my_sourcetype]
TRANSFORMS-0_null_queue = drop_information_messages

transforms.conf


[drop_information_messages]
REGEX = Severity:\sInformation
DEST_KEY = queue
FORMAT = nullQueue

See transforms.conf and look for nullQueue.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!