Read regex based data from a log file using splunk...

raunakomar · ‎03-05-2021

I have log file which polls an endpoint and if new version has come then only performs the operation. All the polling (whether new version is available or not ) are logged into log file. I am trying to read this log file which is working fine. But I want to avoid redundant polling logs and send only those logs where new version was found. Can this be done on splunk forwarder using input.conf file?

tscroggins · ‎03-06-2021

@raunakomar

Search the community for nullQueue. You'll find many examples similar to this:

# props.conf
[foo]
TRANSFORMS-sendToNullQueue = sendToNullQueue

# transforms.conf
[sendToNullQueue]
REGEX = no new data found
DEST_KEY = queue
FORMAT = nullQueue

Your REGEX value should contain a regular expression matching the events you want to exclude.

See also https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Discard_specific_e....

Read regex based data from a log file using splunk forwarder

field extraction

fields

lookup

regex

rex

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation

Read regex based data from a log file using splunk forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.