Solved: Using Regex We need to Capture Few Events with Con...

anandhalagarasa · ‎06-12-2017

Hi

We want to capture the logs which are coming with events and condition like "WARNING" OR "HIGH" OR "MEDIUM" OR "CRITICAL" and to filter out the logs which are coming with "INFORMATION" OR "VERBOSE" OR "MONITORABLE" OR "UNEXPECTED"

horsefez · ‎06-12-2017

Hi anandhalagarasan,

give this a try.

props.conf

[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate


transforms.conf

[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue

Let me know if it works!

View solution in original post

anandhalagarasa · ‎06-12-2017

Can anyone help on this query.

horsefez · ‎06-12-2017

Hi anandhalagarasan,

give this a try.

props.conf

[yoursourcetpye]
TRANSFORMS-yoursourcetype=eliminate


transforms.conf

[eliminate]
REGEX=(?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY=queue
FORMAT=nullQueue

Let me know if it works!

horsefez · ‎06-16-2017

I have to admit, that I was surprised my inital solution did not work as expected.
Regardless of that I found a working solution.

props.conf

[sharepoint]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = (?=Unexpected|Information|Verbose|Monitorable)
DEST_KEY = queue
FORMAT = nullQueue

This should work for you as well.
Here is a link to helpful documentation about it:
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/Forwarding/Routeandfilterdatad#Keep_specific_...

anandhalagarasa · ‎06-21-2017

Thanks its working fine.

anandhalagarasa · ‎06-12-2017

I have tried the same but the filtering is not working so kindly provide a solution for the same.

anandhalagarasa · ‎06-12-2017

All events are once again reaching Splunk so kindly check and update the same.

Using Regex We need to Capture Few Events with Conditions (High, Critical etc.)

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!