Hi
We want to capture the logs which are coming with events and condition like "WARNING" OR "HIGH" OR "MEDIUM" OR "CRITICAL" and to filter out the logs which are coming with "INFORMATION" OR "VERBOSE" OR "MONITORABLE" OR "UNEXPECTED"
Hi anandhalagarasan,
give this a try.
props.conf
[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate
transforms.conf
[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue
Let me know if it works!
Can anyone help on this query.
Hi anandhalagarasan,
give this a try.
props.conf
[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate
transforms.conf
[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue
Let me know if it works!
I have to admit, that I was surprised my inital solution did not work as expected.
Regardless of that I found a working solution.
props.conf
[sharepoint]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = (?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY = queue
FORMAT = nullQueue
This should work for you as well.
Here is a link to helpful documentation about it:
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/Forwarding/Routeandfilterdatad#Keep_specific_...
Thanks its working fine.
I have tried the same but the filtering is not working so kindly provide a solution for the same.
All events are once again reaching Splunk so kindly check and update the same.