Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter (using regex) only particular lines from the log files?

ApurvaB
Engager
‎08-27-2014 06:58 AM

I am using Splunk forwarder to receive log files from multiple monitors. I need to filter events, based on a regex, from one particular monitor. Is there a way I can do that?
I cannot use the RegEx in the Search filed of Splunk Web as it will apply it to the events coming from all the monitors.
To be specific, my inputs.conf file has following monitors:

[monitor:////Monitor1]
disabled = false
followTail = true
index = myIndex
whitelist = .log$

[monitor:////Monitor2]
disabled = false
followTail = true
index = myIndex
whitelist = .log$

Files from Monitor1 contain lines that begin with [NOTE/WARN/ERROR] and other lines that don't. I am only interested in the lines that being with [NOTE/WARN/ERROR] and want to filter out the other lines so that they don't appear in the search results on Splunk Web.

Is there a way I can achieve this?

0 Karma
Reply

the_wolverine
Champion
‎08-27-2014 07:30 AM

Assuming you are using a light (or universal) forwarder, you will need to use props.conf and transforms.conf set on your indexer (Splunk server) to parse the data.

  • props.conf
[source::.../Monitor1] 
TRANSFORMS-route = nullqueue,notewarnerror
  • transforms.conf
[notewarnerror]
REGEX = ^(NOTE|WARN|ERROR)
DEST_KEY = _MetaData:Index
FORMAT = myIndex

[nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

If you are using a heavy forwarder, these would need to be set on the heavy forwarder.

Reply

ApurvaB
Engager
‎08-27-2014 08:03 AM

Thanks for your response. Each if my event contains a line count of about 40-50. If I use ^(NOTE|ERROR|WARN) it gives me only the first line of every log file.
Do I need to use a multi-line character in my regex? Something like (?m)^(NOTE|WARN|ERROR)
But this doesn't seem to filter correctly for me. Do you know any reason why this might happen?

0 Karma
Reply

tom_frotscher
Builder
‎08-27-2014 07:21 AM

Hi!

You can filter out some events by using regular expressions. This is possible in the transforms.conf. For example you can send all events that match a particular regular expression to the index queue, and all that don't match are sent to the null queue, which means they will be discarded.

For proper configuration information, take a look at link

I am not sure if it is applicable to a specific monitor, but i think you can identify/establish a unique source or sourcetype for all events from this monitor.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...