I have a Log file. below mentioned lines are available in that Log file. I want to ignore all lines after the entire data of line number 14.
I want to this entire ignoring process will be done before indexing in any log file in everyday.
Please tell me the whole process with the regular expression.(line numbers are not present in Log files, I have added it here only for help to understand after what line i want to ignore the other lines )
Hey@saibal6,
Please refer this doc :
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Discard_specific_ev...
Let me know if this helps!!
1) The key word you are probably looking for is nullqueue
. You can send data to the null queue by setting up a regex to match that data.
2) We have no idea why line 14 is different from any other line. you need to explain exactly what is different about that line or the lines after it.
I notice that those dates are a few weeks off. If you are trying to ignore future records, then we need to know whether this is a one-shot or an ongoing thing that you might be receiving future records you want to drop.