https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85722#M17802 <P>I have an overload of events no one wants and are eating up our license so I did the following and it is not working.</P> <P>I am trying to drop the following message:</P> <P>"Terminating on fatal IPC exception"</P> <P>I am running this off of a heavy forwarder:</P> <P>Here is my props</P> <PRE><CODE>[source::/opt/logs/all_logs] TRANSFORMS-null= setnull </CODE></PRE> <P>Here is my transforms</P> <PRE><CODE>[setnull] REGEX = /Terminating on fatal IPC exception/ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>The above is working so well now no events are being forwarded to the indexers. Any idea what I am doing wrong?</P> <P>Thanks</P> <P>Ed</P> Mon, 07 Oct 2013 18:36:12 GMT ebailey 2013-10-07T18:36:12Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85722#M17802 <P>I have an overload of events no one wants and are eating up our license so I did the following and it is not working.</P> <P>I am trying to drop the following message:</P> <P>"Terminating on fatal IPC exception"</P> <P>I am running this off of a heavy forwarder:</P> <P>Here is my props</P> <PRE><CODE>[source::/opt/logs/all_logs] TRANSFORMS-null= setnull </CODE></PRE> <P>Here is my transforms</P> <PRE><CODE>[setnull] REGEX = /Terminating on fatal IPC exception/ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>The above is working so well now no events are being forwarded to the indexers. Any idea what I am doing wrong?</P> <P>Thanks</P> <P>Ed</P> Mon, 07 Oct 2013 18:36:12 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85722#M17802 ebailey 2013-10-07T18:36:12Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85723#M17803 <P>The config looks good. Somehow you're regex is matching everything. I've used something very similar in the past, but on the indexer. Never tried it on a heavy forwarder.</P> Mon, 07 Oct 2013 19:01:15 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85723#M17803 lukejadamec 2013-10-07T19:01:15Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85724#M17804 <P>I don't think the <CODE>REGEX</CODE> needs the / characters around it unless that is in the actual event. This should be fine:</P> <PRE><CODE>REGEX = Terminating on fatal IPC exception </CODE></PRE> <P>But, a stanza name as generic as "setnull" may already existing within configs. I might suggest naming it something more specific like:</P> <PRE><CODE>[source::/opt/logs/all_logs] TRANSFORMS-null= setnull-fatalIPCexception [setnull-fatalIPCexception] REGEX = Terminating on fatal IPC exception DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 07 Oct 2013 22:30:46 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85724#M17804 dwaddle 2013-10-07T22:30:46Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85725#M17805 <P>I made your suggested change and no joy. Now all events are flowing from the heavy forwarder to the indexers. Thanks for your effort.</P> <P>Ed</P> Mon, 07 Oct 2013 23:48:54 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85725#M17805 ebailey 2013-10-07T23:48:54Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85726#M17806 <P>BTW - the actual full event is </P> <P>Oct 7 23:49:04 xxxhostnamexxx lsassd[9246]: 0x3fcc8b90:Terminating on fatal IPC exception</P> Mon, 07 Oct 2013 23:49:51 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85726#M17806 ebailey 2013-10-07T23:49:51Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85727#M17807 <P>Is this a multi-line event? You could try adding (?msi) to the beginning of the regex. You can test the regex in a search string which saves restarting the forwarder.</P> Mon, 07 Oct 2013 23:54:48 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85727#M17807 lukejadamec 2013-10-07T23:54:48Z https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85728#M17808 <P>this is not a multi-line event - good idea using a search string to test the regex. Thanks</P> Tue, 08 Oct 2013 13:59:10 GMT https://community.splunk.com/t5/Getting-Data-In/help-with-event-filtering-excluding-events-before-indexing/m-p/85728#M17808 ebailey 2013-10-08T13:59:10Z