https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603403#M13025 <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class="">Filtering logs before indexing using<SPAN>&nbsp;</SPAN><SPAN>transforms.conf</SPAN><SPAN>&nbsp;</SPAN><SPAN>and</SPAN><SPAN>&nbsp;</SPAN><SPAN>props.conf&nbsp;</SPAN><SPAN>creates ingestion latency problem.</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class=""> <DIV class=""> <DIV> <DIV class=""> <DIV class=""> <DIV class="">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 29 Jun 2022 23:11:13 GMT Username_splunk 2022-06-29T23:11:13Z https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603403#M13025 <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class="">Filtering logs before indexing using<SPAN>&nbsp;</SPAN><SPAN>transforms.conf</SPAN><SPAN>&nbsp;</SPAN><SPAN>and</SPAN><SPAN>&nbsp;</SPAN><SPAN>props.conf&nbsp;</SPAN><SPAN>creates ingestion latency problem.</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class=""> <DIV class=""> <DIV> <DIV class=""> <DIV class=""> <DIV class="">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 29 Jun 2022 23:11:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603403#M13025 Username_splunk 2022-06-29T23:11:13Z https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603421#M13029 <P>This is true.&nbsp; The more work the indexer has to do before it indexes data the longer ingestion takes.</P><P>There are some things you can do about it.</P><UL><LI>Only do at index time what absolutely has to be done at index time.&nbsp; Field extractions, for example, are best done at search time.</LI><LI>If you're using regular expressions in your filters then test them in regex101.com to make sure they're as efficient as you can make them.</LI><LI>Consider adding more indexers to your environment.</LI></UL><P>How much latency are we talking about?</P> Mon, 27 Jun 2022 16:55:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603421#M13029 richgalloway 2022-06-27T16:55:11Z https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603707#M13059 <P><SPAN>To reply to your question about latency:</SPAN></P><UL><LI><SPAN>Events from tracker.log have not been seen for the last 546 seconds, which is more than the red threshold (210 seconds).&nbsp;</SPAN></LI><LI><SPAN>Events from tracker.log are delayed for 32126 seconds, which is more than the red threshold (180 seconds).</SPAN></LI></UL><P><SPAN>The regex is efficient, i tried it on regex101.</SPAN></P><P><SPAN>On indexing time, there is only one regex that i wrote for firewall incoming data to only accept blocked traffic logs. And because there are a lot of logs sent by the firewall, the indexer should filter all of those logs on indexing time to filter them and only take the blocked traffic to index it.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Question: How can adding an indexer help me in this case, will the two indexers work on filtering logs in indexing time together?</SPAN></P> Wed, 29 Jun 2022 07:37:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603707#M13059 Username_splunk 2022-06-29T07:37:21Z https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603779#M13064 <P>Additional indexers help by sharing the workload.&nbsp; If data is distributed across all indexers then they each will work on filtering logs.&nbsp; They'll also share the search load to help make searches run faster.</P> Wed, 29 Jun 2022 14:23:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603779#M13064 richgalloway 2022-06-29T14:23:29Z https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603783#M13066 <P>Maybe better option in your case is use something else (rsyslog, syslog-ng or cribl) before take those logs into splunk? I suppose that those are more powerful to do that kind of event dropping than splunk is? Also you could check if you can configure FW to send only wanted events not all.</P><P>r. Ismo</P> Wed, 29 Jun 2022 14:33:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-does-filtering-logs-before-indexing-using-transforms-conf/m-p/603783#M13066 isoutamo 2022-06-29T14:33:05Z