Hello,
I've been searching forever and I can't seem to find the answer.
The documentations that I have found thus far have only said that it is possible to filter specific EVENTS, but not forward a simplified version of it.
Here is the issue:
Lets say I have a log that has the following format (totally made up - but you get the idea) that I send to splunk to be indexed:
--
#Fields: date time clientip User-Agent stats responsetime statuscode
2012-07-13 20:53:00 10.100.10.100 Mozilla type=something&loc=somewhere&id=11111 10 200
--
How could I parse the DATA itself, so that, say, the only thing that is forwarded is
2012-07-13 20:53:00 type=something&loc=somewhere 10 200 (Note: As per this example, I want to parse out some of the strings delimited by the space as well as substrings)
So I can't simply trim the length of the event because I need to exclude things WITHIN the event.
(the #Feilds is irrelevant as I understand it I would put this information in the transform.conf file)
All I have found is how to filter EVENTS not PARTIAL events. As you can guess I don't have control over how the log files are created, only what is given.
So the question is, can I forward minimized events to the indexers?
If so, how?
Please let me know if I need to give more information.
... View more