Hi,
We have a large amount of data in the Apache log files, and we do not want images to be indexed.
How do I match GET /pictures
and filter this out from being indexed?
//SAMPLE LOG
54.13.26.10 - - [07/Oct/2015:08:42:06 +0000] "GET /pictures/cco/4194417.jpg?1444207325625 HTTP/1.1" 200 1472 "https://www.mydomain.com/osites/t/ion/Nom?action=ActionNomOpen&client=cco&browserId=wn-1444206953462-0.3289887811175155" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" **4739**
//REGEX (Displays IP part)
(?:(?<!\d)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?!\d))
Thank you,
Darren.
You can do this by editing props and transforms.conf
In props.conf
set the TRANSFORMS-null attribute:
[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull
And in transforms.conf
add these lines
[setnull]
REGEX = \"GET\s\/pictures
DEST_KEY = queue
FORMAT = nullQueue
Thanks,
And let me know how it goes.
You can do this by editing props and transforms.conf
In props.conf
set the TRANSFORMS-null attribute:
[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull
And in transforms.conf
add these lines
[setnull]
REGEX = \"GET\s\/pictures
DEST_KEY = queue
FORMAT = nullQueue
Thanks,
And let me know how it goes.
Many thanks,
I will try it
Did you have a look at this.
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad