Hello i need filter fields but only on certain events.
Sample events:
1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_cr = 56 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624
1508735662.348 d = a event = cup fI = "2017-10-22 17: 26: 37.000" serv = ru_1 sn = u_cl = 1 u_cr = 300 u_geo = RU u_id = 1256228 u_mn = 595 u_pvp = 0 u_sd = 600 u_st = 700 u_wd = 760 u_wl = 1
The field u_cr = 56 must be removed only from the first (event = vil). In the second (event = cup), it should not change.
After filter the first event looks like:
1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624
I,m use regex transform:
In props.conf:
[compact]
TRANSFORMS-eventvil = vilcut
In transforms.conf:
[vilcut]
REGEX = (event=vil.*)u_cr=.[^ \?]*(.*)$
FORMAT = $1::$2
DEST_KEY = _raw
But field u_cr don't change. What am I doing wrong?
Hi bagaeva
see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Anyway, you have to modify:
props.conf
[compact]
TRANSFORMS-eventvil = vilcut,setnull
transforms.conf
[vilcut]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
[setnull]
REGEX = event \= vil.*u_cr \= 56
DEST_KEY = queue
FORMAT = nullQueue
Check this regex at https://regex101.com/r/dLMByF/1 .
Bye.
Giuseppe
Thanks, i'm use regexp - event \= vil.*u_cr \= .[^ \?]*
[vilcut]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
[setnull]
REGEX = event \= vil.*u_cr \= .[^ \?]*
DEST_KEY = queue
FORMAT = nullQueue
Check this regex at https://regex101.com/r/dLMByF/2
With this configuration, Splunk filters the event = vil event completely. I need filter only field u_cr=.[^ \?]*
only in event=vil.