Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter out parts of my sample log and only index a portion of the message for an event?

DuXa
New Member
‎05-28-2015 03:36 AM

I have a log with a long message. i need to cut it from A to B and, if it possible, not to show other events to work faster. Here is an example of my log file.
I need my event from: 81503| main: number of bytes received: 467 to 1| msgsnd_w_retry [dst task: HOST, time: 27/03/2011 09:46:44.0512]: Send msg to queue 34308098. I tried to use LINE_BREAKER, but I could not do it.

Task with ID = 11 is waiting for the message to arrive on the queue 34471943.
81503|  main: number of bytes received: 467
81503|  09:46:44 
81503|  main: Found message format 1.00
81503|  =>sv_msg2msgx_ent (tag_utils.c)
81503|  =>svm_dprint (sv_message.c     10.4)
81503|  svm_dprint: Message v1.00
umsgnum =   00750163    org_pid =   00000645
dest_pid =  00000000    timestamp_in =  1301204804
msg_size =  00000411    msgtype =   00001031
direction = 00000000    dev_proc_id =   00000004
org_dev_qid =   34340867    81503|  BITS: 81503|  
81503|  [0x600fffffffef67a8] SVT_CARD_NUM       l0016:  STR: 6774889148194829
81503|  [0x600fffffffef67ba] SVT_UTRANSNO       l0004:  INT: 750163
81503|  [0x600fffffffef67c0] SVT_SV_TRACE       l0004:  INT: 750163
81503|  [0x600fffffffef67c6] SVT_DEVINFO        l0002:  STR: 00
81503|  [0x600fffffffef67ca] SVT_FINTRAN        l0001:  HEX: 01
..................................................
1|  msgx_ent2sv_msg: bptr: 0x600fffffffef5337, buf: 0x600fffffffef5140, *bufsize: 00000495d, hdr->msg_size: 00000439d
1|  msgx_ent2sv_msg() = 1, buf_len = 495
1|  msgsnd_w_retry [dst task: HOST, time: 27/03/2011 09:46:44.0512]: trying to send 495d bytes to target queue 34308098
1|  msgsnd_w_retry [dst task: HOST, time: 27/03/2011 09:46:44.0512]: Send msg to queue 34308098
1|  =>txrout_proc_state_table_status (tserv.c)
1|  txrout_proc_state_table_status: new state is: 1
1|  =>txrout_free_event (tserv.c)
1|  =>COMMIT_WORK (db_login.pc)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-28-2015 04:50 PM

Using LINE_BREAKER has nothing to do with it. You need to make your forwarder a Heavy Forwarder and the do the stuff here:
http://networkerslog.blogspot.com/2012/01/how-to-filter-unwanted-data-without.html

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...