Below is the raw data that am getting. I want to extract the events where category is Error.
For this am doing this in props.conf.
[source::d:\TGNI\Logs*.log]
TRANSFORMS-null= setnull
Correction to transforms.conf
[setnull]
REGEX = (?m)Category\:\sInfo
DEST_KEY = queue
FORMAT = nullQueue
Is this the right way to do? Cant seem to get the regex expression right i guess. I still see the info events
1 » 2/18/13
6:48:54.000 PM
Timestamp: 2/18/2013 6:48:54 PM
Category: Error
Machine: devmundia01
IP Address:
Customer ID:
Request URL:
Referrer URL:
Browser Name:
Browser Version:
User Agent:
Show all 24 lines
host=devmundia01 Options| sourcetype=mundiaerr Options| source=d:TGNILogstgni-mundia.2013-02-19.log Options
2 » 2/18/13
6:48:53.000 PM
Timestamp: 2/18/2013 6:48:53 PM
Category: Info
Machine: devmundia01
IP Address: 10.6.8.28 (3yu4xv0x5bbyk5345sqcbegq)
Customer ID:
Request URL: http://10.13.65.105/
Referrer URL:
Browser Name: Jakarta Commons-HttpClient
Browser Version: 0.0
User Agent: Jakarta Commons-HttpClient/3.0.1
Show all 16 lines
host=devmundia01 Options| sourcetype=mundiaerr Options| source=d:TGNILogstgni-mundia.2013-02-19.log Options
Hi pdash,
I'm not 100% sure but I think Splunk doesn't need colon ( : ) escaped. Try removing backslash before it.
Regards,
Stefano
Your regex I think should work- but you need to escape the backslashes in your source path:
[source::d:\\TGNI\\Logs*.log]
From the props.conf.spec:
**Considerations for Windows file paths:**
When you specify Windows-based file paths as part of a [source::<source>] stanza, you must escape any backslashes contained within the specified file path.
yes. inside system/local
Where do you have this configuration, on the indexer?
these are coming in after i changed the conf files in indexers and restarted splunk
Did you restart Splunk after you set this up? Are these events still coming in even after this, or are these sample events from before you set up the filter?