Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: Using Regex We need to Capture Few Events with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
We want to capture the logs which are coming with events and condition like "WARNING" OR "HIGH" OR "MEDIUM" OR "CRITICAL" and to filter out the logs which are coming with "INFORMATION" OR "VERBOSE" OR "MONITORABLE" OR "UNEXPECTED"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi anandhalagarasan,
give this a try.
props.conf
[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate
transforms.conf
[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue
Let me know if it works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help on this query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi anandhalagarasan,
give this a try.
props.conf
[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate
transforms.conf
[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue
Let me know if it works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to admit, that I was surprised my inital solution did not work as expected.
Regardless of that I found a working solution.
props.conf
[sharepoint]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = (?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY = queue
FORMAT = nullQueue
This should work for you as well.
Here is a link to helpful documentation about it:
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/Forwarding/Routeandfilterdatad#Keep_specific_...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks its working fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried the same but the filtering is not working so kindly provide a solution for the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All events are once again reaching Splunk so kindly check and update the same.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
