https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92056#M19127 <P>I would suggest using a sourcetype in place of source. Since the source will be set to each file under the directory being monitored, the transforms may not match. You can try the following:</P> <P>On fwd:</P> <PRE> [monitor:///home/tomcat1/apache-tomcat-6.0.24/logs] disabled=false host=prod_228_1 index=production sourcetype=apache_logs </PRE> <P>On indexer:</P> <PRE> [sourcetype::apache_logs] TRANSFORMS-null=setnull [setnull] REGEX = healthCheck DEST_KEY = queue FORMAT = nullQueue </PRE> Thu, 14 Apr 2011 00:16:25 GMT jkerai 2011-04-14T00:16:25Z https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92054#M19125 <P>I'm trying to filter some events on an indexer that I'm not interested in. I have a single indexer/search node and three app server nodes that I'm running a SplunkLightForwarder on. The input to each of the SLF is the following (inputs.conf):</P> <P><CODE> [monitor:///home/tomcat1/apache-tomcat-6.0.24/logs]<BR /> disabled=false<BR /> host=prod_228_1<BR /> index=production </CODE></P> <P>There are several different kinds of log files in the logs directory monitored above. I'm trying to filter the following log entries out of localhost_access log files in the above mentioned directory:</P> <P>10.72.134.3 - - [20/Aug/2010:16:13:55 -0700] "GET /ddp/server/healthCheck " 200 86</P> <P>I understand that I cannot filter using SLF, so I'm setting up a filter to throw these events away on the indexer node.</P> <P>In my $(SPLUNK_HOME)/etc/system/locals/props.conf on the indexer node I have the following:</P> <P><CODE> [source::home/tomcat1/apache-tomcat-6.0.24/logs]<BR /> TRANSFORMS-null= setnull </CODE></P> <P>In my $(SPLUNK_HOME)/etc/system/locals/transforms.conf on the indexer node I have the following:</P> <P><CODE> [setnull]<BR /> REGEX = healthCheck<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> </CODE></P> <P>After configuring as described above and restarting, the indexer node is still indexing the healthCheck entries in my log files.</P> <P>I've checked several questions/answers in this forum and cannot find a resolution to my problem. What am I doing wrong?</P> Fri, 19 Nov 2010 05:08:25 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92054#M19125 mburbidg 2010-11-19T05:08:25Z https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92055#M19126 <P>Just one dumb question -- is the "$SPLUNK_HOME/etc/system/locals" a typo? The directory is actually "$SPLUNK_HOME/etc/system/local".</P> Mon, 28 Sep 2020 09:21:17 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92055#M19126 dwaddle 2020-09-28T09:21:17Z https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92056#M19127 <P>I would suggest using a sourcetype in place of source. Since the source will be set to each file under the directory being monitored, the transforms may not match. You can try the following:</P> <P>On fwd:</P> <PRE> [monitor:///home/tomcat1/apache-tomcat-6.0.24/logs] disabled=false host=prod_228_1 index=production sourcetype=apache_logs </PRE> <P>On indexer:</P> <PRE> [sourcetype::apache_logs] TRANSFORMS-null=setnull [setnull] REGEX = healthCheck DEST_KEY = queue FORMAT = nullQueue </PRE> Thu, 14 Apr 2011 00:16:25 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-events-on-indexer-received-from-LightForwarder/m-p/92056#M19127 jkerai 2011-04-14T00:16:25Z