https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102663#M21540 <P>I am trying to prune some noise from my logs. Here are my props.conf and transforms.conf. Any Idea what I am missing. The dhcpcd messages are still getting through.</P> <PRE><CODE># more props.conf [source::/var/log/hosts] # Transforms must be applied in this order # to make sure events are dropped on the # floor prior to making their way to the # index processor TRANSFORMS-set= setnull,setparsing # vi transforms.conf [sendmailnull] REGEX = .*sendmail.*$ DEST_KEY = queue FORMAT = nullQueue [puppetdnull] REGEX = .*puppetd.* DEST_KEY = queue FORMAT = nullQueue [setnull] REGEX = .*dhcpcd.* DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Wed, 02 Nov 2011 18:56:38 GMT steve543 2011-11-02T18:56:38Z https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102663#M21540 <P>I am trying to prune some noise from my logs. Here are my props.conf and transforms.conf. Any Idea what I am missing. The dhcpcd messages are still getting through.</P> <PRE><CODE># more props.conf [source::/var/log/hosts] # Transforms must be applied in this order # to make sure events are dropped on the # floor prior to making their way to the # index processor TRANSFORMS-set= setnull,setparsing # vi transforms.conf [sendmailnull] REGEX = .*sendmail.*$ DEST_KEY = queue FORMAT = nullQueue [puppetdnull] REGEX = .*puppetd.* DEST_KEY = queue FORMAT = nullQueue [setnull] REGEX = .*dhcpcd.* DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Wed, 02 Nov 2011 18:56:38 GMT https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102663#M21540 steve543 2011-11-02T18:56:38Z https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102664#M21541 <OL> <LI>Did you restart Splunk?</LI> <LI>Are the events you want to filter in just the source "/var/log/hosts"?</LI> <LI>It's really "dhcpcd" and not "dhcpd" you're looking for?</LI> <LI>What does <CODE>setparsing</CODE> contain? Might it have something that overrides the <CODE>setnull</CODE> settings?</LI> </OL> Wed, 02 Nov 2011 19:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102664#M21541 Ayn 2011-11-02T19:36:18Z https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102665#M21542 <P>Yes, I restart splunk after each edit. Yes, all of the files are in /var/log/hosts. Yes it is dhcpcd. Here is a sample. Nov 2 14:13:33 STORE00046-BACKUP dhcpcd[3207]: usb0: cannot request a link local address. Setparsing actually is not in use anywhere. I grabbed that config from another example in this forum. That may be part of the problem. I read a reference to inputs.conf somewhere but don't understand the link.<BR /> I did notice that when I make the changes the volume does seem to drop (but not disappear completely) that day, then after midnight, it seems to go back up again. </P> Wed, 02 Nov 2011 19:56:42 GMT https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102665#M21542 steve543 2011-11-02T19:56:42Z https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102666#M21543 <P>I don't have a test setup to try this on so I cannot verify how Splunk reacts when you specify a transform that does not exist, however removing the "setparsing" reference in props.conf is definitely one step worth trying.</P> Wed, 02 Nov 2011 20:21:00 GMT https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102666#M21543 Ayn 2011-11-02T20:21:00Z https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102667#M21544 <P>Hello, does the above sendmail stanza really remove all sendmail events?? If so, I will be using it.</P> Tue, 29 Jul 2014 15:37:07 GMT https://community.splunk.com/t5/Getting-Data-In/Changes-to-transforms-not-working/m-p/102667#M21544 dmacgillivray 2014-07-29T15:37:07Z