Getting Data In

Syslog UDP data filtering to index

mookiie2005
Communicator

We have data that comes into UDP port 514 on a heavy forwarder that we than send to our indexers. The data looks like the below:

Aug 26 12:23:19 10.142.102.50 Aug 26 12:23:18 pl-wlmuatdp4 [in01_sr][latency][info] wsgw(AutoPolicyManager): trans(76922997)[10.142.99.6]: Latency: 0 47 0 15 47 10 0 194 241 195 241 241 236 226 15 47
host=10.142.102.50 Options| sourcetype=Datapower Options| source=udp:514 Options| Test001=pl-wlmuatdp4 Options

We want to filter the data based on the field "in01_sr" the field has 4 possible values. Does anyone know how we can filter based on this value? Would it be done on the indexers or on the heavy forwarder? We would like to set it up so that we route to a separate index based on that value.

0 Karma
1 Solution

mookiie2005
Communicator

[Datapower]
TRANSFORMS-routing=st02_sr_routing
TRANSFORMS-routing=in01_sr_routing
TRANSFORMS-routing=pf04_sr_routing
TRANSFORMS-routing=uat_sr_routing

[st02_sr_routing]
REGEX = st02_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_SIT

[in01_sr_routing]
REGEX = in01_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_INT

[pf04_sr_routing]
REGEX = pf04_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_Perf

[uat_sr_routing]
REGEX = uat_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_uat

the above stanzas worked for what we were trying to do.

View solution in original post

mookiie2005
Communicator

[Datapower]
TRANSFORMS-routing=st02_sr_routing
TRANSFORMS-routing=in01_sr_routing
TRANSFORMS-routing=pf04_sr_routing
TRANSFORMS-routing=uat_sr_routing

[st02_sr_routing]
REGEX = st02_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_SIT

[in01_sr_routing]
REGEX = in01_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_INT

[pf04_sr_routing]
REGEX = pf04_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_Perf

[uat_sr_routing]
REGEX = uat_sr
DEST_KEY=_MetaData:Index
FORMAT=Datapower_uat

the above stanzas worked for what we were trying to do.

yannK
Splunk Employee
Splunk Employee

filter on the heavy forwarder if you have any, otherwise on the indexer (the instance that will be Parsing the events first)
you can see this page for nullQueue examples :

http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Routeandfilterdatad#Discard_specific_events...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...