cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
hernanrodriguez
Explorer
Member since: ‎01-11-2021
‎01-15-2021
Community Statistics
Posts 5
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎01-11-2021
View All

Re: Filter events based on sourcetype and text at ...

by in Getting Data In
‎01-15-2021 04:48 AM
‎01-15-2021 04:48 AM
Finally I resolved my problem filtering by "source". The structure for containers is something like this: /var/log/containers/*log So, my stanza now is: [source::/var/log/containers/(containerNumberFour*|containerNumberFive*)] Thanks @scelikok for your help               ... View more

Re: coldToFrozen Azure blob storage account

by in Getting Data In
‎01-13-2021 05:04 AM
‎01-13-2021 05:04 AM
Hi @morphis72  Also I have Splunk Enterprise deployed as IaaS on Azure. How did you resolve your problem? T There're a lot of information about Splunk and S3 on AWS, but sadly not for Blob Storage & Azure     ... View more

Re: Filter events based on sourcetype and text at ...

by in Getting Data In
‎01-12-2021 11:56 AM
‎01-12-2021 11:56 AM
It didn't work 😞 Actually one of the sourcetypes is a bit different: [(?::){0}kube:container:ms\-loan\-mobile\-exp.*] Could be a problem with the special characters: "-"? something like this should work? [.*ms\-loan\-mobile\-exp.*] ... View more

Re: Filter events based on sourcetype and text at ...

by in Getting Data In
‎01-12-2021 09:24 AM
‎01-12-2021 09:24 AM
I tried that yesterday, but It wasn't work. The sourcetype is dynamic, so I configured something like this:   [(?::){0}kube:containerNumberFour*] TRANSFORMS-set= drop_BCI_INI_EventsByText  Can I use the * symbol to match any sourcetype with the prefix "containerNumberFour"? I mean, my sourcetypes are something like: kube:containerNumberFour-rev-1.1 kube:containerNumberFour-rev-1.2 kube:containerNumberFour-rev-2.0   Thanks @scelikok for your help ... View more

Filter events based on sourcetype and text at the ...

by in Getting Data In
‎01-11-2021 06:00 PM
‎01-11-2021 06:00 PM
Hello guys I have the following scenario: I'm receiving a lot of logs from a Kubernetes Clusters I'm sending logs from Kubernetes to a Splunk Heavy Forwarder using Splunk Connect for Kubernetes The sourcetypes names are assigned by Splunk Connect using a structure like this: kube:container:* (example: kube:container:containerNumberOne) I have the following confs in props.conf and transforms.conf files: [(?::){0}kube:*] NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true TRANSFORMS-set= setnull, allowEvents, dropEventsByText, dropEventsBySourcetype, set_sourcetype   [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [allowEvents] REGEX = LOG_INI|LOG_FINOK|LOG_FINEX|LOG_FINNEG DEST_KEY = queue FORMAT = indexQueue [dropEventsBySourcetype] SOURCE_KEY=MetaData:Sourcetype REGEX = containerNumberOne|containerNumberTwo DEST_KEY = queue FORMAT = nullQueue [dropEventsByText] REGEX = debug|DEBUG DEST_KEY = queue FORMAT = nullQueue [set_sourcetype] SOURCE_KEY=MetaData:Sourcetype REGEX = kube\:container\:(.*)\-re\- FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype These filters (and the sourcetype rename) have been working well for a while and as you may observe, they filter events based on a text contained in the log or by a text in the sourcetypes name. The problem is that I have a new requirement. I need to drop events based on 2 rules at the same time: a sourcetype name and a text in the log. Specifically, there are some logs with the sourcetype name containerFour and the text LOG_INI that I need to drop. I guess I need something like this (but I know te conf is wrong): [dropEventsBySourcetypeAndText] SOURCE_KEY=MetaData:Sourcetype REGEX = containerNumberFour REGEX = BCI_INI DEST_KEY = queue FORMAT = nullQueue     Does someone know what i need to do? Thanks in advance    ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-15-2021 08:10 AM