Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I filter out DEBUG entries from a linux / Unix logfile with the heavy forwarder?

gozulin
Communicator
‎01-30-2014 02:26 PM

We're having some licensing violations when we need to turn on DEBUG on some of our services and we'd like to just have a regex nullqueue any debug entries before forwarding them to the indexers.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gozulin
Communicator
‎01-30-2014 05:31 PM

Using the previous answer, here is what worked to filter out DEBUG messages:

in props.conf:

TRANSFORMS-null= setnull
[mysourcetype]
NO_BINARY_CHECK = 1
pulldown_type = 1

In transforms.conf:

[setnull]
REGEX = [DEBUG]
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mukherjee_mk
Explorer
‎12-15-2015 07:15 PM

Thanks for your help folks. I notice that we have to keep these rows in the right order though. The name of the sourcetype should be at the beginning of the segment.

in props.conf (notice that the sourcetype is the first line of the segment):
[mysourcetype]
TRANSFORMS-null= setnull
NO_BINARY_CHECK = 1
pulldown_type = 1

In transforms.conf:
[setnull]
REGEX = DEBUG
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Solved! Jump to solution
Solution

gozulin
Communicator
‎01-30-2014 05:31 PM

Using the previous answer, here is what worked to filter out DEBUG messages:

in props.conf:

TRANSFORMS-null= setnull
[mysourcetype]
NO_BINARY_CHECK = 1
pulldown_type = 1

In transforms.conf:

[setnull]
REGEX = [DEBUG]
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Solved! Jump to solution

gozulin
Communicator
‎01-31-2014 09:42 AM

Huh, you're right of course. It's weird because the content of the file actually has backslashes in it. Not sure why they didn't show up!

[setnull]
REGEX = \[DEBUG\]
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-30-2014 09:53 PM

Have you verified that this is not matching more than you intended? In regex terms, that should match anything with a capital D, E, B, U, or G.

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-30-2014 04:13 PM

You should be able to follow the guidance of this answers post but replace the regex with DEBUG. You could make the regex more specific by providing a few example logs (e.g., LogLevel DEBUG if that's what your logs look like).

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...