Re: Read regex based data from a log file using sp...

raunakomar · ‎03-05-2021

I have log file which polls an endpoint and if new version has come then only performs the operation. All the polling (whether new version is available or not ) are logged into log file. I am trying to read this log file which is working fine. But I want to avoid redundant polling logs and send only those logs where new version was found. Can this be done on splunk forwarder using input.conf file?

tscroggins · ‎03-06-2021

@raunakomar

Search the community for nullQueue. You'll find many examples similar to this:

# props.conf
[foo]
TRANSFORMS-sendToNullQueue = sendToNullQueue

# transforms.conf
[sendToNullQueue]
REGEX = no new data found
DEST_KEY = queue
FORMAT = nullQueue

Your REGEX value should contain a regular expression matching the events you want to exclude.

See also https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Discard_specific_e....

Read regex based data from a log file using splunk forwarder

field extraction

fields

lookup

regex

rex

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Read regex based data from a log file using splunk forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.