Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter data in log files

JagsP
Explorer
‎08-21-2024 12:51 AM

Hello everyone , 

I want to filter data for a specific keyword "Snapshot created successfully " from a log file but i am getting other events also along with the searched keywords. My entries in props.conf and transform.conf is as below :

 

props.conf
[sourcetype]
TRANSFORMS-filter = stanza

transforms.conf

[stanza]
REGEX = "Snapshot created successfully"
DEST_KEY = queue
FORMAT = indexqueue

Is there any issue here ?

Labels (1)
Labels
0 Karma
Reply

Bhumi
Path Finder
‎10-23-2024 05:52 AM

Hello @JagsP 

Please update the [stanza] regex as follows:

REGEX = successful\, returned exit code \'0\'

Note: Make sure to place the configurations correctly otherwise it will not work .

For eg: If your data flow is UF->HF->Indexer, parsing occurs at the full enterprise instance, with the HF being the first layer where this takes place. 

Additionally, here is the documentation for routing and filtering data, which will help you understand the core concepts.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Routeandfilterdatad

For learning and writing regex for your data, you can use the platform  https://regex101.com/

If this resolves your issue, please accept and upvote the answers.

Happy Splunking!

0 Karma
Reply

Bhumi
Path Finder
‎10-23-2024 03:21 AM

Hello @JagsP 

1. What is the dataflow ? For Eg: UF->HF->Indexer and where have you placed your configurations. 

2. Also, share the sample event , so accordingly I can help you with regex part. 

0 Karma
Reply

JagsP
Explorer
‎10-23-2024 03:30 AM 
props.conf :

[sap_failure]
TRANSFORMS-filter = setnull,stanza



transform.conf :

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue



[stanza]
REGEX = "successful, returned exit code '0'"
DEST_KEY = queue
FORMAT = indexQueue



Content:

[16/Sep/2024:02:00:36 -05:00] INFO : [PID:0185317:Backup:360] [1] successful, returned exit code '0'
[16/Sep/2024:02:00:36 -05:00] DEBUG: [PID:0185317:SAPHANA:648] SQLSTRING: 'BACKUP DATA FOR FULL SYSTEM CLOSE SNAPSHOT BACKUP_ID 1726470003540 SUCCESSFUL 'hana_data_FHL__2024-09-16T070003-1779190Z''

 

Here in content if you see i have other events which is not having the desired text string . I need to filter all other events .

 

has context menu

0 Karma
Reply

PaulPanther
Motivator
‎08-21-2024 12:57 AM

If you wanna filter out all other events please try

props.conf


[sourcetype]
TRANSFORMS-filter = setnull,stanza


transforms:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[stanza]
REGEX = "Snapshot created successfully"
DEST_KEY = queue
FORMAT = indexQueue
 
0 Karma
Reply

JagsP
Explorer
‎10-08-2024 03:44 AM

It did not work 😞 It is still giving all the events other than the expected one.

0 Karma
Reply

JagsP
Explorer
‎08-26-2024 02:59 AM

I am trying out this . I will let you know whether it worked ! Thanks .

0 Karma
Reply

PaulPanther
Motivator
‎10-08-2024 06:16 AM

Where have youe configured these settings? And how do you pull/push the data to your indexer? Are there any HeavyForwarders involved?

Feel free to share an sample event with us.

0 Karma
Reply

JagsP
Explorer
‎10-22-2024 11:07 PM

Yes , Heavy forwarders are being used but how it will impact the data filtration ?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2024 12:18 AM

It is important where you put your settings.

Parsing is done on the first "heavy" component in event's path to indexers. So if you have a HF as an intermediate forwarder, you need to put your props/transforms there.

Of course you will still be getting already indexed events during searching index-time transforms are applied only for the new events.

0 Karma
Reply

JagsP
Explorer
‎10-23-2024 01:14 AM

Is there any issue with the below settings ? Also is the Regex wrong here ?

[sourcetype]
TRANSFORMS-filter = setnull,stanza


transforms:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[stanza]
REGEX = "Snapshot created successfully"
DEST_KEY = queue
FORMAT = indexQueue

 A 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2024 01:31 PM

Wait a second. Does your raw data contain the string in quotes or without them?

0 Karma
Reply

JagsP
Explorer
‎10-22-2024 04:09 AM

This is my error string " successful, returned exit code '0'" but apart from this error , other events are also getting returned. Please help in creating the regex for this as i am new to Regex and also how can we create or take help from where to create regex?

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...