Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering debug statement

oilmouse
New Member
‎12-02-2014 01:18 PM

Hello,

I'm trying to filter out all the lines with DEBUG inside them. I've the following props.conf and transforms.conf but still not working.

Did I make any mistake please? How can I debug this please? Thanks.

props.conf:

[ABCLogs]
TRUNCATE = 100000
SHOULD_LINEMERGE = true
# BREAK_ONLY_BEFORE_DATE = true
BREAK_ONLY_BEFORE = \d+\s\w\w\w\s\d\d\d\d\s\d\d:\d\d:\d\d\,\d\d\d\s
TRANSFORMS-ABCLogs = ABC_setparsing,ABC_setnull

transforms.conf:

[ABC_setnull]
REGEX = (.*)DEBUG(.*)
DEST_KEY = queue
FORMAT = nullQueue

[ABC_setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Cheers,
Jack

Tags (1)
0 Karma
Reply

MuS
Legend
‎12-02-2014 01:35 PM

Hi olimouse,

a few things to pay attention here:

is your sourcetype really ABCLogs ? This must match exactly
Is your props.conf and transforms.conf on the Splunk server doing event parsing? See this wiki to learn more: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
The regex in [ABC_setnull] could also just be REGEX = DEBUG
Did you restart your Splunk server after the changes?
Did you try to change the order in the props.conf to something like this:

TRANSFORMS-ABCLogs = ABC_setnull, ABC_setparsing

cheers, MuS

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...