https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94406#M19637 <P>I'm trying to get a multi-line log4j event sent to the nullQueue on a <EM>Regular</EM> forwarder. Here is my inputs/props/transforms.conf:</P> <PRE><CODE>[monitor:///opt/ShoppingSite/work/logs/tomcat.log] disabled = false followTail = 1 sourcetype = log4j [source::///opt/ShoppingSite/work/logs/tomcat.log] TRANSFORMS-filtercrap = cleantomcat [cleantomcat] REGEX = (?m).+getResponseEntity\nINFO:\s+The\slength\sof\sthe\smessage\sbody\sis\sunknown.+ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This is the event from my tomcat log I need filtered:</P> <PRE><CODE>Nov 24, 2010 12:51:18 PM com.noelios.restlet.http.HttpClientCall getResponseEntity INFO: The length of the message body is unknown. The entity must be handled carefully and consumed entirely in order to surely release the connection. </CODE></PRE> <P>I've checked my regex using KiKi (Linux regex utility). Anyone have any thoughts? These events are still showing up when I search on my search head.</P> Thu, 25 Nov 2010 04:13:26 GMT nocostk 2010-11-25T04:13:26Z https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94406#M19637 <P>I'm trying to get a multi-line log4j event sent to the nullQueue on a <EM>Regular</EM> forwarder. Here is my inputs/props/transforms.conf:</P> <PRE><CODE>[monitor:///opt/ShoppingSite/work/logs/tomcat.log] disabled = false followTail = 1 sourcetype = log4j [source::///opt/ShoppingSite/work/logs/tomcat.log] TRANSFORMS-filtercrap = cleantomcat [cleantomcat] REGEX = (?m).+getResponseEntity\nINFO:\s+The\slength\sof\sthe\smessage\sbody\sis\sunknown.+ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This is the event from my tomcat log I need filtered:</P> <PRE><CODE>Nov 24, 2010 12:51:18 PM com.noelios.restlet.http.HttpClientCall getResponseEntity INFO: The length of the message body is unknown. The entity must be handled carefully and consumed entirely in order to surely release the connection. </CODE></PRE> <P>I've checked my regex using KiKi (Linux regex utility). Anyone have any thoughts? These events are still showing up when I search on my search head.</P> Thu, 25 Nov 2010 04:13:26 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94406#M19637 nocostk 2010-11-25T04:13:26Z https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94407#M19638 <P>What happens if you change the props.conf from</P> <PRE><CODE>[source::///opt/ShoppingSite/work/logs/tomcat.log] </CODE></PRE> <P>to</P> <PRE><CODE>[log4j] </CODE></PRE> <P>and restart the forwarder?</P> Thu, 25 Nov 2010 11:04:48 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94407#M19638 bfaber 2010-11-25T11:04:48Z https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94408#M19639 <P>That seems to work. Why would sourcetype work but not source?</P> Fri, 26 Nov 2010 21:24:48 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94408#M19639 nocostk 2010-11-26T21:24:48Z https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94409#M19640 <P><CODE>source::</CODE> clauses should not have the triple slashes <CODE>///</CODE> at the start, just the <CODE>/</CODE>. The <CODE>//</CODE> is part of inputs monitor syntax.</P> Tue, 30 Nov 2010 10:24:18 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-routing-events-to-nullQueue/m-p/94409#M19640 gkanapathy 2010-11-30T10:24:18Z