cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
amit2301
New Member
Member since: ‎08-28-2017
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-28-2017
Activity Feed
View All

How can I filter events before they are indexed so...

by in Getting Data In
‎09-26-2017 06:16 AM
‎09-26-2017 06:16 AM
I tried this solution but no success. I am trying to filter data from being indexed.I need only the Error events In props conf: [source:://C:\Windows\System32\winevt\Logs] Transforms must be applied in this order to make sure events are dropped on the floor prior to making their way to the index processor TRANSFORMS-set = setnull, setparsing In transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = Error DEST_KEY = queue FORMAT = indexQueue ... View more

Re: How do i exclude some events from being indexe...

by in Getting Data In
‎09-26-2017 02:05 AM
‎09-26-2017 02:05 AM
I tried this solution but no success. I am trying to filter data from being indexed.I need only the Error events In props conf: [source:://C:\Windows\System32\winevt\Logs] Transforms must be applied in this order to make sure events are dropped on the floor prior to making their way to the index processor TRANSFORMS-set = setnull, setparsing In transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = Error DEST_KEY = queue FORMAT = indexQueue ... View more

Re: filter events on indexer

by in Splunk Search
‎09-26-2017 12:41 AM
‎09-26-2017 12:41 AM
Hi , I am trying to nullify the windows event log which are of "type=Information" and i want only the events having errors and warnings. i am not able to achieve kindly help . I am using below: props.conf [WinEventLog:Application] TRANSFORMS-set= setnull transforms.conf [setnull] REGEX = "Type=Information" DEST_KEY = queue FORMAT = nullQueue ... View more

I have 100 alerts configured with certain conditio...

by in Getting Data In
‎08-28-2017 02:51 AM
‎08-28-2017 02:51 AM
I have 100 alerts configured with certain condition, I have to change the condition but don't want to go to every alert and change the condition instead change in 1 place and it should change in all the places ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM