https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145044#M29621 <P>I am having issues filtering data into nullQueue. I have a log where the only lines I want indexed have the string "logit". I found on several sites a solution but the below still lets other strings through as well.</P> <P>props.conf</P> <P>[<SOURCETYPE>]<BR /> SHOULD_LINEMERGE = false<BR /> TRANSFORMS-set = setnull,setparsing</SOURCETYPE></P> <P>transforms.conf</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = logit<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>is there something else that needs added?</P> Fri, 15 Nov 2013 23:07:21 GMT flucman 2013-11-15T23:07:21Z https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145044#M29621 <P>I am having issues filtering data into nullQueue. I have a log where the only lines I want indexed have the string "logit". I found on several sites a solution but the below still lets other strings through as well.</P> <P>props.conf</P> <P>[<SOURCETYPE>]<BR /> SHOULD_LINEMERGE = false<BR /> TRANSFORMS-set = setnull,setparsing</SOURCETYPE></P> <P>transforms.conf</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = logit<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>is there something else that needs added?</P> Fri, 15 Nov 2013 23:07:21 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145044#M29621 flucman 2013-11-15T23:07:21Z https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145045#M29622 <P>From the look of it, it seems correct.</P> <P>Are you making the configuration in the correct place? See <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings</A></P> <P>/k</P> Sat, 16 Nov 2013 10:00:55 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145045#M29622 kristian_kolb 2013-11-16T10:00:55Z https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145046#M29623 <P>btw - you don't have the string <CODE>&lt;sourcetype&gt;</CODE> in the props.conf stanza header, do you?</P> <P>That is meant to be replaced with actual sourcetype for which you want to perform nullQueueing, e.g. <CODE>[access_combined]</CODE> or <CODE>[linux_secure]</CODE>.</P> <P>/k</P> Sun, 17 Nov 2013 10:44:50 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145046#M29623 kristian_kolb 2013-11-17T10:44:50Z https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145047#M29624 <P>I am updating the props.conf and transforms.conf on the indexers and search head. The location I updated was the etc/system/local files.</P> <P>It seems to be working now so may have just missed refreshing the configs on an indexer. Thanks!</P> Mon, 18 Nov 2013 15:14:54 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-of-events-using-nullQueue/m-p/145047#M29624 flucman 2013-11-18T15:14:54Z