Splunk Dev

Using Regex We need to Capture Few Events with Conditions (High, Critical etc.)

anandhalagarasa
Path Finder

Hi

We want to capture the logs which are coming with events and condition like "WARNING" OR "HIGH" OR "MEDIUM" OR "CRITICAL" and to filter out the logs which are coming with "INFORMATION" OR "VERBOSE" OR "MONITORABLE" OR "UNEXPECTED"

Tags (1)
0 Karma
1 Solution

horsefez
Motivator

Hi anandhalagarasan,

give this a try.

props.conf

[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate


transforms.conf

[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue

Let me know if it works!

View solution in original post

0 Karma

anandhalagarasa
Path Finder

Can anyone help on this query.

0 Karma

horsefez
Motivator

Hi anandhalagarasan,

give this a try.

props.conf

[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate


transforms.conf

[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue

Let me know if it works!

0 Karma

horsefez
Motivator

I have to admit, that I was surprised my inital solution did not work as expected.
Regardless of that I found a working solution.

props.conf

[sharepoint]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = (?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY = queue
FORMAT = nullQueue

This should work for you as well.
Here is a link to helpful documentation about it:
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/Forwarding/Routeandfilterdatad#Keep_specific_...

0 Karma

anandhalagarasa
Path Finder

Thanks its working fine.

0 Karma

anandhalagarasa
Path Finder

I have tried the same but the filtering is not working so kindly provide a solution for the same.

0 Karma

anandhalagarasa
Path Finder

All events are once again reaching Splunk so kindly check and update the same.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...