- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Filter data in log files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter data in log files
Hello everyone ,
I want to filter data for a specific keyword "Snapshot created successfully " from a log file but i am getting other events also along with the searched keywords. My entries in props.conf and transform.conf is as below :
props.conf
[sourcetype]
TRANSFORMS-filter = stanza
transforms.conf
[stanza]
REGEX = "Snapshot created successfully"
DEST_KEY = queue
FORMAT = indexqueueIs there any issue here ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @JagsP
Please update the [stanza] regex as follows:
REGEX = successful\, returned exit code \'0\'
Note: Make sure to place the configurations correctly otherwise it will not work .
For eg: If your data flow is UF->HF->Indexer, parsing occurs at the full enterprise instance, with the HF being the first layer where this takes place.
Additionally, here is the documentation for routing and filtering data, which will help you understand the core concepts.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Routeandfilterdatad
For learning and writing regex for your data, you can use the platform https://regex101.com/
If this resolves your issue, please accept and upvote the answers.
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @JagsP
1. What is the dataflow ? For Eg: UF->HF->Indexer and where have you placed your configurations.
2. Also, share the sample event , so accordingly I can help you with regex part.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf :
[sap_failure]
TRANSFORMS-filter = setnull,stanza
transform.conf :
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[stanza]
REGEX = "successful, returned exit code '0'"
DEST_KEY = queue
FORMAT = indexQueue
Content:
[16/Sep/2024:02:00:36 -05:00] INFO : [PID:0185317:Backup:360] [1] successful, returned exit code '0'
[16/Sep/2024:02:00:36 -05:00] DEBUG: [PID:0185317:SAPHANA:648] SQLSTRING: 'BACKUP DATA FOR FULL SYSTEM CLOSE SNAPSHOT BACKUP_ID 1726470003540 SUCCESSFUL 'hana_data_FHL__2024-09-16T070003-1779190Z''
Here in content if you see i have other events which is not having the desired text string . I need to filter all other events .
has context menu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you wanna filter out all other events please try
props.conf
[sourcetype]
TRANSFORMS-filter = setnull,stanza
transforms:
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
[stanza]
REGEX = "Snapshot created successfully"
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It did not work 😞 It is still giving all the events other than the expected one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying out this . I will let you know whether it worked ! Thanks .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where have youe configured these settings? And how do you pull/push the data to your indexer? Are there any HeavyForwarders involved?
Feel free to share an sample event with us.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes , Heavy forwarders are being used but how it will impact the data filtration ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is important where you put your settings.
Parsing is done on the first "heavy" component in event's path to indexers. So if you have a HF as an intermediate forwarder, you need to put your props/transforms there.
Of course you will still be getting already indexed events during searching index-time transforms are applied only for the new events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any issue with the below settings ? Also is the Regex wrong here ?
[sourcetype]
TRANSFORMS-filter = setnull,stanza
transforms:
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
[stanza]
REGEX = "Snapshot created successfully"
DEST_KEY = queue
FORMAT = indexQueue
A
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait a second. Does your raw data contain the string in quotes or without them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my error string " successful, returned exit code '0'" but apart from this error , other events are also getting returned. Please help in creating the regex for this as i am new to Regex and also how can we create or take help from where to create regex?
Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
