Morning  Thank you for the response. The Dashboard is a Classic Dashboard, i definitely don't see as many options for inputs as you have above.  I'll have a look at the lookup option to speed up the search. that's something i never thought of thank you.    kind regards,    Paula      

Hi @BoldKnowsNothin .. Yes, Splunk detects the "pattern" in the log lines.  may we know more details from you..  from the subject.. it looks like you want to drop (dont want to ingest) a portion of the logs.. if its correct, pls provide us more details..  1) the sample logs.. 2) do you have HF or no HF 3) the props.conf / transforms may be needed later. thanks. 

logger:integration-fabrics-exp-api.put:\orders\submit\(storeid).Exception    message: [10-12 05:36:03] INFO Exception [[MuleRuntime].uber.12973: [integration-fabrics-exp-api-prod].util:logger-exception/processors/0.ps.BLOCKING @8989]: { "correlationId" : "787979-50ac-4b6f-90bd-64f1b6f79985", "message" : "Exception", "tracePoint" : "EXCEPTION", "priority" : "INFO", "category" : "kfc-integration-fabrics-exp-api.put:\\orders\\submit\\(storeid).Exception", "elapsed" : 3806, "locationInfo" : { "lineInFile" : "69", "component" : "json-logger:logger", "fileName" : "common/common-logger-flow.xml", "rootContainer" : "util:logger-exception" }, "timestamp" : "2023-10-12T05:36:03.317Z", "content" : { "payload" : { "api" : "integration-fabrics-exp-api-prod", "message" : "{\n \"externalOrderId\": \"275769403\",\n \"instruction\": \"275769403\",\n \"items\": [\n {\n \"id\": \"I-30995\",\n \"name\": \"Regular Chips\",\n \"unitPrice\": 445,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"I-30057\",\n \"name\": \"Regular Potato \\u0026 Gravy\",\n \"unitPrice\": 545,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"I-30017\",\n \"name\": \"3 Wicked Wings®\",\n \"unitPrice\": 695,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"I-898-0\",\n \"name\": \"Kids Meal with Nuggets\",\n \"unitPrice\": 875,\n \"quantity\": 1,\n \"subItems\": [\n {\n \"id\": \"M-41687-0\",\n \"name\": \"4 Nuggets\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40976-0\",\n \"name\": \"Regular Chips\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40931-0\",\n \"name\": \"Regular 7Up\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n }\n ]\n },\n {\n \"id\": \"I-32368-0\",\n \"name\": \"Kids Meal with Nuggets\",\n \"unitPrice\": 875,\n \"quantity\": 1,\n \"subItems\": [\n {\n \"id\": \"M-41687-0\",\n \"name\": \"4 Nuggets\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40976-0\",\n \"name\": \"Regular Chips\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40931-0\",\n \"name\": \"Regular 7Up\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n }\n ]\n }\n ],\n \"customer\": {\n \"firstName\": \"9403\",\n \"lastName\": \"ML\",\n \"email\": \"ghgjhgj@hotmail.com\",\n \"phoneNumber\": \"897987\"\n },\n \"tenders\": [\n {\n \"type\": \"credit-card\",\n \"amount\": 3435\n }\n ],\n \"discountLines\": []\n}", "description" : "HTTP PUT on resource 'http://mule-worker-internal-order-sys-api-prod.au-s1.cloudhub.io:8091/orders/submit/716' failed: bad request (400).", "correlationId" : "1cb22ac0-50ac-4b6f-0988-64f1b6f79985", "category" : "integration-fabrics-exp-api.put:\\orders\\submit\\(storeid)", "timeStamp" : "2023-10-12T16:36:03:316000Z", "incomingMessage" : { "externalOrderId" : "9898", "instruction" : "275769403", "items" : [ { "id" : "I-30995", "name" : "Regular Chips", "unitPrice" : 445, "quantity" : 1, "subItems" : [ ] }, { "id" : "I-30057", "name" : "Regular Potato & Gravy", "unitPrice" : 545, "quantity" : 1, "subItems" : [ ] }, { "id" : "I-30017", "name" : "3 Wicked Wings®", "unitPrice" : 695, "quantity" : 1, "subItems" : [ ] }, { "id" : "I-32368-0", "name" : "Kids Meal with Nuggets", "unitPrice" : 875, "quantity" : 1, "subItems" : [ { "id" : "M-41687-0", "name" : "4 Nuggets", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40976-0", "name" : "Regular Chips", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40931-0", "name" : "Regular 7Up", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] } ] }, { "id" : "I-32368-0", "name" : "Kids Meal with Nuggets", "unitPrice" : 875, "quantity" : 1, "subItems" : [ { "id" : "M-41687-0", "name" : "4 Nuggets", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40976-0", "name" : "Regular Chips", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40931-0", "name" : "Regular 7Up", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] } ] } ], "customer" : { "firstName" : "9403", "lastName" : "ML", "email" : "ns@hotmail.com", "phoneNumber" : "98908" }, "tenders" : [ { "type" : "credit-card", "amount" : 3435 } ], "discountLines" : [ ] }, "errorMetadata" : { "errorType" : { "parentErrorType" : { "identifier" : "ANY", "namespace" : "MULE" }, "identifier" : "BAD_REQUEST", "namespace" : "HTTP" }, "description" : "HTTP PUT on resource 'http://mule-worker-internal-order-sys-api-prod.au-s1.cloudhub.io:8091/orders/submit/898' failed: bad request (400).", "additionalDetails" : "HTTP PUT on resource 'http://mule-worker-internal-order-sys-api-prod.au-s1.cloudhub.io:8091/orders/submit/716' failed: bad request (400).", "exception" : { "correlationId" : "1cb22ac0-50ac-4b6f-90bd-78979", "timestamp" : "2023-10-12T16:36:03:273000Z", "errorType" : "400 HTTP:BAD_REQUEST", "description" : "{\"code\":\"ghgj\",\"message\":\"CTT failed items. ModifierRequirementNotMet - 4 Nuggets,ModifierRequirementNotMet - 4 Nuggets\"}" } } } }, "applicationName" : "integration-fabrics-exp-api-prod", "applicationVersion" : "", "environment" : "prod", "threadName" : "[MuleRuntime].uber.12973: [integration-fabrics-exp-api-prod].util:logger-exception/processors/0.ps.BLOCKING @64c03d54" }   Here is the sample logger from which we need to group only the error message , "description" : "{\"code\":\"ghgj\",\"message\":\"CTT failed items. ModifierRequirementNotMet - 4 Nuggets,ModifierRequirementNotMet - 4 Nuggets...and create alert checking if we aregetting more than 3 such continuous errors within an hour  

 logger:integration-fabrics-exp-api.put:\orders\submit\(storeid).Exception    message: [10-12 05:36:03] INFO Exception [[MuleRuntime].uber.12973: [integration-fabrics-exp-api-prod].util:logger-exception/processors/0.ps.BLOCKING @8989]: { "correlationId" : "787979-50ac-4b6f-90bd-64f1b6f79985", "message" : "Exception", "tracePoint" : "EXCEPTION", "priority" : "INFO", "category" : "kfc-integration-fabrics-exp-api.put:\\orders\\submit\\(storeid).Exception", "elapsed" : 3806, "locationInfo" : { "lineInFile" : "69", "component" : "json-logger:logger", "fileName" : "common/common-logger-flow.xml", "rootContainer" : "util:logger-exception" }, "timestamp" : "2023-10-12T05:36:03.317Z", "content" : { "payload" : { "api" : "integration-fabrics-exp-api-prod", "message" : "{\n \"externalOrderId\": \"275769403\",\n \"instruction\": \"275769403\",\n \"items\": [\n {\n \"id\": \"I-30995\",\n \"name\": \"Regular Chips\",\n \"unitPrice\": 445,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"I-30057\",\n \"name\": \"Regular Potato \\u0026 Gravy\",\n \"unitPrice\": 545,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"I-30017\",\n \"name\": \"3 Wicked Wings®\",\n \"unitPrice\": 695,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"I-898-0\",\n \"name\": \"Kids Meal with Nuggets\",\n \"unitPrice\": 875,\n \"quantity\": 1,\n \"subItems\": [\n {\n \"id\": \"M-41687-0\",\n \"name\": \"4 Nuggets\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40976-0\",\n \"name\": \"Regular Chips\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40931-0\",\n \"name\": \"Regular 7Up\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n }\n ]\n },\n {\n \"id\": \"I-32368-0\",\n \"name\": \"Kids Meal with Nuggets\",\n \"unitPrice\": 875,\n \"quantity\": 1,\n \"subItems\": [\n {\n \"id\": \"M-41687-0\",\n \"name\": \"4 Nuggets\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40976-0\",\n \"name\": \"Regular Chips\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n },\n {\n \"id\": \"M-40931-0\",\n \"name\": \"Regular 7Up\",\n \"unitPrice\": 0,\n \"quantity\": 1,\n \"subItems\": []\n }\n ]\n }\n ],\n \"customer\": {\n \"firstName\": \"9403\",\n \"lastName\": \"ML\",\n \"email\": \"ghgjhgj@hotmail.com\",\n \"phoneNumber\": \"897987\"\n },\n \"tenders\": [\n {\n \"type\": \"credit-card\",\n \"amount\": 3435\n }\n ],\n \"discountLines\": []\n}", "description" : "HTTP PUT on resource 'http://mule-worker-internal-order-sys-api-prod.au-s1.cloudhub.io:8091/orders/submit/716' failed: bad request (400).", "correlationId" : "1cb22ac0-50ac-4b6f-0988-64f1b6f79985", "category" : "integration-fabrics-exp-api.put:\\orders\\submit\\(storeid)", "timeStamp" : "2023-10-12T16:36:03:316000Z", "incomingMessage" : { "externalOrderId" : "9898", "instruction" : "275769403", "items" : [ { "id" : "I-30995", "name" : "Regular Chips", "unitPrice" : 445, "quantity" : 1, "subItems" : [ ] }, { "id" : "I-30057", "name" : "Regular Potato & Gravy", "unitPrice" : 545, "quantity" : 1, "subItems" : [ ] }, { "id" : "I-30017", "name" : "3 Wicked Wings®", "unitPrice" : 695, "quantity" : 1, "subItems" : [ ] }, { "id" : "I-32368-0", "name" : "Kids Meal with Nuggets", "unitPrice" : 875, "quantity" : 1, "subItems" : [ { "id" : "M-41687-0", "name" : "4 Nuggets", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40976-0", "name" : "Regular Chips", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40931-0", "name" : "Regular 7Up", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] } ] }, { "id" : "I-32368-0", "name" : "Kids Meal with Nuggets", "unitPrice" : 875, "quantity" : 1, "subItems" : [ { "id" : "M-41687-0", "name" : "4 Nuggets", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40976-0", "name" : "Regular Chips", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] }, { "id" : "M-40931-0", "name" : "Regular 7Up", "unitPrice" : 0, "quantity" : 1, "subItems" : [ ] } ] } ], "customer" : { "firstName" : "9403", "lastName" : "ML", "email" : "ns@hotmail.com", "phoneNumber" : "98908" }, "tenders" : [ { "type" : "credit-card", "amount" : 3435 } ], "discountLines" : [ ] }, "errorMetadata" : { "errorType" : { "parentErrorType" : { "identifier" : "ANY", "namespace" : "MULE" }, "identifier" : "BAD_REQUEST", "namespace" : "HTTP" }, "description" : "HTTP PUT on resource 'http://mule-worker-internal-order-sys-api-prod.au-s1.cloudhub.io:8091/orders/submit/898' failed: bad request (400).", "additionalDetails" : "HTTP PUT on resource 'http://mule-worker-internal-order-sys-api-prod.au-s1.cloudhub.io:8091/orders/submit/716' failed: bad request (400).", "exception" : { "correlationId" : "1cb22ac0-50ac-4b6f-90bd-78979", "timestamp" : "2023-10-12T16:36:03:273000Z", "errorType" : "400 HTTP:BAD_REQUEST", "description" : "{\"code\":\"ghgj\",\"message\":\"CTT failed items. ModifierRequirementNotMet - 4 Nuggets,ModifierRequirementNotMet - 4 Nuggets\"}" } } } }, "applicationName" : "integration-fabrics-exp-api-prod", "applicationVersion" : "", "environment" : "prod", "threadName" : "[MuleRuntime].uber.12973: [integration-fabrics-exp-api-prod].util:logger-exception/processors/0.ps.BLOCKING @64c03d54" }   Here is the sample logger from which we need to group only the error message , "description" : "{\"code\":\"ghgj\",\"message\":\"CTT failed items. ModifierRequirementNotMet - 4 Nuggets,ModifierRequirementNotMet - 4 Nuggets...and create alert checking if we aregetting more than 3 such continuous errors within an hour

JSON is data-oriented.  Everything is treated as data.  But just like comment is useless and harmless code in "normal" computing languages, you can think of comment as useless and harmless data in JSON.  The trick is to embed useless data in keys that the application does not reject yet does not utilize.  One trick I found from Stackoverflow (there are many like that) is to place an unusual character at the beginning of key but you can design your own pattern as long as DS doesn't find it objectionable and doesn't act on it.  This example uses "_comment": { "visualizations": { "viz_OQMhku6K": { "type": "splunk.ellipse", "_comment": "about vizualization" } }, "dataSources": { "_comment": [ "datasource comment 1", "source comment 2" ] }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" } }, "layout": { "type": "absolute", "_comment": "something about layout", "options": { "display": "auto-scale", "backgroundImage": { "sizeType": "contain", "x": 0, "y": 0, "src": "splunk-enterprise-kvstore://649ab2cf9e8252528a4843f1" } }, "structure": [ { "item": "viz_OQMhku6K", "type": "block", "position": { "x": 130, "y": 60, "w": 130, "h": 130 }, "_commment": "structure comment here" } ], "globalInputs": [ "input_global_trp" ] }, "_comment": "general comments go here", "description": "", "title": "Test Dashboard Studio comment" } Hope this helps.

Hi @harishsplunk7 ,   I’m a Community Moderator in the Splunk Community.  This question was posted 3 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.   Thank you!

Hi @richgalloway @gcusello , How can we utilize Btool on the host to troubleshoot whether the Universal Forwarder (UF) is utilizing an inputs.conf file other than the one intended for the Windows_TA? Despite applying the correct Regex filters, we are still encountering issues with events not being properly blacklisted. ThanQ

The first set of props will not ingest a CSV properly.  The second should work much better. In which Splunk instance did you make the change?  It should be done on the indexers and heavy forwarders (if you have them). Use btool on an indexer to make sure the settings are as expected. splunk btool --debug props list aws:s3:csv The change will apply to new data only.

The EventCode key and $XmlRegex key use two different regular expressions.  The former is simple and certain to work correctly, whereas the latter is not.  That is why I showed a corrected $XmlRegex expression. The regex101.com expression is working fine.  Include sample data that matches the expression and you'll see. https://regex101.com/r/ZTE3Z4/1