Splunk Search

Read regex based data from a log file using splunk forwarder

raunakomar
New Member

I have log file which polls an endpoint and if new version has come then only performs the operation. All the polling (whether new version is available or not ) are logged into log file. I am trying to read this log file which is working fine. But I want to avoid redundant polling logs and send only those logs where new version was found. Can this be done on splunk forwarder using input.conf file?

Labels (6)
0 Karma

tscroggins
Builder

@raunakomar 

Search the community for nullQueue. You'll find many examples similar to this:

# props.conf
[foo]
TRANSFORMS-sendToNullQueue = sendToNullQueue

# transforms.conf
[sendToNullQueue]
REGEX = no new data found
DEST_KEY = queue
FORMAT = nullQueue

Your REGEX value should contain a regular expression matching the events you want to exclude.

See also https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Discard_specific_e....

0 Karma