Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Want to forward selective portion of the log file by forwarder to indexer

somnathnag
Engager
‎03-01-2012 03:19 PM

Hello :
What I have to set in inputs.conf or outputs.conf of the forwarder so that I can send selective portion of the application log file to indexer. At present our setup forwards the whole log file - which we don't need and this is hurting the network performance also.
Thanks
Somnath

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 07:01 PM

Take a look at the following in the manual

Perform selective indexing and forwarding

You can filter the data in two different places:

  • Option 1: Filter on the indexer(s). This is the recommendation when you are filtering less than 50% of the data. Why? Because by filtering on the indexer(s), you can use the Universal Forwarder on the production systems.
  • Option 2: Filter on the forwarders. This requires that you use the heavy forwarder instead of the Universal Forwarder, and it will take some processing cycles on the production systems. Still, this may be the best choice if you are seeing network performance issues, or if you are filtering out more than 50% of the data.

The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.

View solution in original post

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2012 03:07 PM

Example: Assume that the data you want to filter is in a file named big.log. (Note that in real life, you would have to provide the full path.)

You want to eliminate any lines that have the word INFO or WARN.

In the configuration file $SPLUNK_HOME\etc\system\local\props.conf

[source::big.log]
TRANSFORMS-t1 = filterEvents

In the configuration file $SPLUNK_HOME\etc\system\local\transforms.conf

[filterEvents]
REGEX = (?:INFO|WARN)
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 07:01 PM

Take a look at the following in the manual

Perform selective indexing and forwarding

You can filter the data in two different places:

  • Option 1: Filter on the indexer(s). This is the recommendation when you are filtering less than 50% of the data. Why? Because by filtering on the indexer(s), you can use the Universal Forwarder on the production systems.
  • Option 2: Filter on the forwarders. This requires that you use the heavy forwarder instead of the Universal Forwarder, and it will take some processing cycles on the production systems. Still, this may be the best choice if you are seeing network performance issues, or if you are filtering out more than 50% of the data.

The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.

Reply
Solved! Jump to solution

somnathnag
Engager
‎03-02-2012 07:46 AM

Thanks a lot.
Probably we would go with the heavy forwarder. I looked into your attached document - couldn't figure out the configuration for selective event forwarding. Can you please provide a sample configuration file ?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...