Re: Filter strings of event before index

thinksplunk · ‎09-24-2013

Hi, as i'm new to using Splunk, i would like to know how to filter the string "2013-09-20 16:53:00, 231 Success transport" before it is index, how to do it and where to configure it? thks

2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent

2013-09-20 16:53:00, 231 Success transport

2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process

JimDeich · ‎11-04-2014

It seems like the poster was just looking to remove PART of a log or event, but the answer given will remove the ENTIRE EVENT .

thinksplunk · ‎09-30-2013

correct, it is writing the right regex, as i mentioned i'm new in using Splunk, so not very sure how to write the right regex.

kristian_kolb · ‎09-30-2013

Did you read the linked doc page? Given that you understand the basic principle of how routing events to the nullQueue works, it's just a question of writing the right regex.

thinksplunk · ‎09-30-2013

To be exact, i need to filter the string is "2013-09-20 16:53:34,374 INFO [Thread-2] [null:-1] Success. Connected to AB Server at 192.11.12.13:123.

kristian_kolb · ‎09-24-2013

You can filter out events before they are indexed with the help of a so-called nullQueue transform. Please note that the regex below is pretty specific in order not to remove events you want to keep.

props.conf

[your_source_or_sourcetype]
TRANSFORM-blah = remove_success_transport

transforms.conf

[remove_success_transport]
REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sSuccess\stransport$
DEST_KEY = queue
FORMAT = nullQueue

For more info;

http://docs.splunk.com/Documentation/Splunk/5.0.5/Deploy/Routeandfilterdatad#Discard_specific_events...

/K

Filter strings of event before index

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases