Hello all,
I am trying to index a subset of a very painful log which has header and footer noise and whose events start with the same set of characters. Here is a simplified version of the log:
**************************************************
*
* R E P O R T
*
* DATE : 15 / 10 / 2019
* HOUR : 21 : 54 : 13
*
**************************************************
**************************************************
* DETAILS
**************************************************
ID : 751412348
PROTOCOL : 452453464
**************************************************
* LOG
**************************************************
FIELD 1 FIELD 2
ID NAME
- ----------------------------------------
3 NAME 1
3 NAME 2
3 NAME 3
**************************************************
*
* SUMMARY
*
**************************************************
--------------------------------------------------
--- STANDARD
--------------------------------------------------
EXECUTED : 600
PASSED : 570
FAILED : 30
--------------------------------------------------
--- CUSTOM
--------------------------------------------------
READ COUNT : 453
**************************************************
**************************************************
FINAL STATE
**************************************************
**************************************************
From this relic of a log I'd like to only index the following lines:
3 NAME 1
3 NAME 2
3 NAME 3
I'm hope that there is some sort of regex based parameter that I can set that will allow me to say "if a line starts \s\s\d
then index it, otherwise ignore"
I've studied the PREAMBLE_REGEX
parameter for props.conf
but I understand that this would only help to skip the header, and not any information in the footer.
Any push in the right direction would be greatly appreciated.
Thank you and best regards,
Andrew
Use transforms.conf to send undesired events to the null queue. See https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html or https://answers.splunk.com/answers/640411/how-to-use-regex-to-send-events-to-nullqueue-1.html for examples.
Use transforms.conf to send undesired events to the null queue. See https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html or https://answers.splunk.com/answers/640411/how-to-use-regex-to-send-events-to-nullqueue-1.html for examples.
Thanks Rich! The null queue sounds sinister! It's where the bad events go.