- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I only index events within a log that start...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I am trying to index a subset of a very painful log which has header and footer noise and whose events start with the same set of characters. Here is a simplified version of the log:
**************************************************
*
* R E P O R T
*
* DATE : 15 / 10 / 2019
* HOUR : 21 : 54 : 13
*
**************************************************
**************************************************
* DETAILS
**************************************************
ID : 751412348
PROTOCOL : 452453464
**************************************************
* LOG
**************************************************
FIELD 1 FIELD 2
ID NAME
- ----------------------------------------
3 NAME 1
3 NAME 2
3 NAME 3
**************************************************
*
* SUMMARY
*
**************************************************
--------------------------------------------------
--- STANDARD
--------------------------------------------------
EXECUTED : 600
PASSED : 570
FAILED : 30
--------------------------------------------------
--- CUSTOM
--------------------------------------------------
READ COUNT : 453
**************************************************
**************************************************
FINAL STATE
**************************************************
**************************************************
From this relic of a log I'd like to only index the following lines:
3 NAME 1
3 NAME 2
3 NAME 3
I'm hope that there is some sort of regex based parameter that I can set that will allow me to say "if a line starts \s\s\d then index it, otherwise ignore"
I've studied the PREAMBLE_REGEX parameter for props.conf but I understand that this would only help to skip the header, and not any information in the footer.
Any push in the right direction would be greatly appreciated.
Thank you and best regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use transforms.conf to send undesired events to the null queue. See https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html or https://answers.splunk.com/answers/640411/how-to-use-regex-to-send-events-to-nullqueue-1.html for examples.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use transforms.conf to send undesired events to the null queue. See https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html or https://answers.splunk.com/answers/640411/how-to-use-regex-to-send-events-to-nullqueue-1.html for examples.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rich! The null queue sounds sinister! It's where the bad events go.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
