Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my regex to filter out images in A...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmccabe2
New Member
10-28-2015
03:12 AM
Hi,
We have a large amount of data in the Apache log files, and we do not want images to be indexed.
How do I match GET /pictures and filter this out from being indexed?
//SAMPLE LOG
54.13.26.10 - - [07/Oct/2015:08:42:06 +0000] "GET /pictures/cco/4194417.jpg?1444207325625 HTTP/1.1" 200 1472 "https://www.mydomain.com/osites/t/ion/Nom?action=ActionNomOpen&client=cco&browserId=wn-1444206953462-0.3289887811175155" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" **4739**
//REGEX (Displays IP part)
(?:(?<!\d)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?!\d))
Thank you,
Darren.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krish3
Contributor
10-29-2015
02:20 AM
You can do this by editing props and transforms.conf
In props.conf set the TRANSFORMS-null attribute:
[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull
And in transforms.conf add these lines
[setnull]
REGEX = \"GET\s\/pictures
DEST_KEY = queue
FORMAT = nullQueue
Thanks,
And let me know how it goes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krish3
Contributor
10-29-2015
02:20 AM
You can do this by editing props and transforms.conf
In props.conf set the TRANSFORMS-null attribute:
[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull
And in transforms.conf add these lines
[setnull]
REGEX = \"GET\s\/pictures
DEST_KEY = queue
FORMAT = nullQueue
Thanks,
And let me know how it goes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmccabe2
New Member
10-30-2015
01:52 AM
Many thanks,
I will try it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-28-2015
08:56 PM
Did you have a look at this.
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad
Get Updates on the Splunk Community!
Monitoring Postgres with OpenTelemetry
Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...
Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly
To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview.
In ...
Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor
Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...
