Getting Data In

Is there a way to only forward certain log events?

mattbrowne
Engager

Hi,

Is there a way of only sending certain events from a log file via a forwarder?

E.g. our log files contain a lot of noise that I don't want to send to Splunk (mainly for network performance reasons), the logs are in the structure of:

(blank line)
[Header line 1 with log_type]
[Header line 2]
free text body of contents of log message
(blank line)

How can I configure the forwarder to only send log blocks of certain "log_type"s?

Thanks in advance!

Tags (2)
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You have two approaches here.

1) You could use a universal forwarder to specify only the files you want to forward
2) You should use a heavy forwarder to pre-parse the data and send any junk data to nullqueue

If the "noise" is mixed in with the logs you want to send, you should go with option 2. If the "noise" is comprised of logs you don't want, you should go with option 1. If you need more of an explanation, then provide more details about where the noise is

https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

You have two approaches here.

1) You could use a universal forwarder to specify only the files you want to forward
2) You should use a heavy forwarder to pre-parse the data and send any junk data to nullqueue

If the "noise" is mixed in with the logs you want to send, you should go with option 2. If the "noise" is comprised of logs you don't want, you should go with option 1. If you need more of an explanation, then provide more details about where the noise is

https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...