Splunk Search

Read regex based data from a log file using splunk forwarder

raunakomar
New Member

I have log file which polls an endpoint and if new version has come then only performs the operation. All the polling (whether new version is available or not ) are logged into log file. I am trying to read this log file which is working fine. But I want to avoid redundant polling logs and send only those logs where new version was found. Can this be done on splunk forwarder using input.conf file?

Labels (6)
0 Karma

tscroggins
Champion

@raunakomar 

Search the community for nullQueue. You'll find many examples similar to this:

# props.conf
[foo]
TRANSFORMS-sendToNullQueue = sendToNullQueue

# transforms.conf
[sendToNullQueue]
REGEX = no new data found
DEST_KEY = queue
FORMAT = nullQueue

Your REGEX value should contain a regular expression matching the events you want to exclude.

See also https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Discard_specific_e....

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...