How can I filter out HTTP 301 and 302 on a linux H...

eosi · ‎07-21-2016

I am new to Splunk and can see previous post for filtering out Security logs. Please would anyone be able to help with filtering out certain HTTP traffic?

michael_sleep · ‎07-22-2016

Post some sample data and we can give you some working regex to go with it.

inventsekar · ‎07-22-2016

from the document, To discard specific events and keep the rest
This example discards all sshd events in /var/log/messages by sending them to nullQueue:

In props.conf, set the TRANSFORMS-null attribute:

[source::/var/log/messages]
TRANSFORMS-null= setnull
2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = [sshd]
DEST_KEY = queue
FORMAT = nullQueue
That does it.

could you please update us the http error log and few 301 and 302 sample messages

woodcock · ‎07-21-2016

Read up on the basic tenchique here (it is pretty strightforward):

http://docs.splunk.com/Documentation/Splunk/6.1.5/Forwarding/Routeandfilterdatad

How can I filter out HTTP 301 and 302 on a linux Heavy forwarder so that it doesn't forward those logs to the cloud indexer

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...