VMware Cloud Community
vschmelz
Contributor
Contributor

Looking for a function in Log Insight

I recently started working with Log Insight and I'm looking for a specific funktion.Ich have log data with a lot of text and search now a function to delete uninteresting text content. This is usually not just one line.

Thanks for any help.

Labels (3)
Reply
0 Kudos
8 Replies
sflanders
Commander
Commander

Hello and welcome to the communities! Go to the Interactive Analytics page and add a filter for text does not contain <what you want to ignore>

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
vschmelz
Contributor
Contributor

I know the function, with this function, the complete file will be ignored, right? But I want to ignore only certain parts of a text log file and not the whole file.

Reply
0 Kudos
sflanders
Commander
Commander

Not sure I am following, what I suggested will ignore a specific line in a file. If you want to exclude a file you could use our agent and then filter by filepath does not contain. If you want to ignore all files from a source you can do source does not contain. If you want to exclude words and/or phrases within a line, but keep the rest of the line, this is not possible today. I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
vschmelz
Contributor
Contributor

Thank you very much!

Unfortunately I can not try it at the moment but to go safe that you know what I mean here's an example.


If the content of a log file would have two blocks.

Action: text
System Name: Text
Agent Address: Text
...
If Description: lo

Action: text
System Name: Text
Agent Address: Text
...
If Description: something else

The first block is uninteresting and I want to delete it.
Only the following should be in the file.

Action: text
System Name: Text
Agent Address: Text
...
If Description: something else

Reply
0 Kudos
sflanders
Commander
Commander

Sounds like you are looking for event filtering, but this should be done BEFORE it reaches Log Insight. Log Insight ingests everything it is sent and does not drop/remove anything.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
vschmelz
Contributor
Contributor

Thanks again for your quick answers.

Reply
0 Kudos
vschmelz
Contributor
Contributor

How can I solve this problem (event filtering)

Is it maybe possible to import a log file and create an event of each line?

Reply
0 Kudos
sflanders
Commander
Commander

The proper way to do this is client-side so you would need to check on what syslog agent you are running. For example:

* http://www.rsyslog.com/doc/rsyslog_conf_filter.html

* 8.3.6. Filter functions

Note that importing files into LI is not supported today server-side though you could do this with LI agent. Also note that the LI agent allows you to specify what a new event looks like (i.e. it can split messages) so you should consider using that instead of 3rd party agents like the links I provided above.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos