Hi,
Is it possible to collect specific rows of a trace file?
I have one trace file that contains Info traces and Error traces.
I'd like Splunk to collect only the error lines.
For example, below are 2 rows in the trace file:
Time: 07/31/2013 10:35:30, Content: MyInfoMessage, Severity: Information
Time: 07/31/2013 10:45:30, Content: MyInfoMessage, Severity: Error
I'd like to collect with Splunk the second line only, the one that contains "Severity: Error"
Is thre any idea how to do this?
The usual way to do this would be to prompt Splunk to drop the messages that are "Severity: Information". This is done with a parse-time transform to set the _queue metadata field for that event to nullQueue. An example is shown below. The assumption is that your sourcetype for the data is "my_sourcetype".
props.conf
[my_sourcetype]
TRANSFORMS-0_null_queue = drop_information_messages
transforms.conf
[drop_information_messages]
REGEX = Severity:\sInformation
DEST_KEY = queue
FORMAT = nullQueue
See transforms.conf and look for nullQueue.