Splunk Enterprise

forward only specific events during parsing

riqbal
Communicator

Hi everyone.

I want to foward only specific events to indexer at parsing stage.

my props.conf
[source::/xxs/sxx_bxxxx_2.txt]
sourcetype = sxxsxlbxxx3
TRANSFORMS = null_queue_filter

transforms.conf
[null_queue_filter]
REGEX = 4$
DEST_KEY = queue
FORMAT = indexQueue

Please note that I only want to forward events to index which ends with 4.

Tags (1)
0 Karma

deepashri_123
Motivator

Hey@riqbal,

Can you try this:

props.conf:

[source::/xxs/sxx_bxxxx_2.txt]
TRANSFORMS-set= setnull,setparsing

Edit transforms.conf and add the following:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = 4$
DEST_KEY = queue
FORMAT = indexQueue

Let me know if this helps!!

DalJeanis
SplunkTrust
SplunkTrust

@depashri_123 - Good job! We've converted this to an answer, because it should be exactly what the OP needs.

0 Karma

deepashri_123
Motivator

Thank you !!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.