https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-filter-out/m-p/153103#M31160 <P>I am attempting to filter out healthcheck's within our system from our web logs. I am using the props.conf / transforms.conf method on the indexer in order to begin filtering these out. I have inserted all of the necessary parameters, and restarted the system, however the events are still appearing. This environment is a cluster, so I am pushing the configurations from the cluster master. See props / transforms entries below. </P> <P>props.conf: </P> <PRE><CODE>[www_stg] TRANSFORMS-hck = webHealthCheckFilterStg </CODE></PRE> <P>transforms.conf: </P> <PRE><CODE>[webHealthCheckFilterStg] REGEX = 10.207.*.* REGEX = 10.207.*.* REGEX = 10.207.*.* REGEX = 10.207.*.* REGEX = myHealtchCheckUser REGEX = (h|H)ealth(c|C)heck) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>I don't see the events getting filtered, so I'm assuming I have a syntax error somewhere. Am I doing something wrong? </P> Mon, 06 Oct 2014 15:36:10 GMT tmarlette 2014-10-06T15:36:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-filter-out/m-p/153103#M31160 <P>I am attempting to filter out healthcheck's within our system from our web logs. I am using the props.conf / transforms.conf method on the indexer in order to begin filtering these out. I have inserted all of the necessary parameters, and restarted the system, however the events are still appearing. This environment is a cluster, so I am pushing the configurations from the cluster master. See props / transforms entries below. </P> <P>props.conf: </P> <PRE><CODE>[www_stg] TRANSFORMS-hck = webHealthCheckFilterStg </CODE></PRE> <P>transforms.conf: </P> <PRE><CODE>[webHealthCheckFilterStg] REGEX = 10.207.*.* REGEX = 10.207.*.* REGEX = 10.207.*.* REGEX = 10.207.*.* REGEX = myHealtchCheckUser REGEX = (h|H)ealth(c|C)heck) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>I don't see the events getting filtered, so I'm assuming I have a syntax error somewhere. Am I doing something wrong? </P> Mon, 06 Oct 2014 15:36:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-filter-out/m-p/153103#M31160 tmarlette 2014-10-06T15:36:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-filter-out/m-p/153104#M31161 <P>First, I have 3 remarks on the regexes.</P> <UL> <LI>you cannot put more than 1 REGEX per transfoms.</LI> <LI><P>your regex are not valid, you need to escape the dots and you may want to specify that you expect digits<BR /> <CODE>REGEX=10\.207\.\d+\.\d+</CODE></P></LI> <LI><P>you should group all your regex in a single one with OR conditions. This can be faster than create a new tranform per regex.<BR /> example : <CODE>REGEX=(myHealtchCheckUser|10\.207\.\d+\.\d+)</CODE></P></LI> </UL> <P>And finally, double check that :</P> <UL> <LI>the events are not send from a heavy forwarder that already parsed the events</LI> <LI>that the sourcetype does not have any INDEXED_EXTRACTIONS rules that will cause them to be parsed on the forwarders In both case, try with the props/transforms on the forwarder.</LI> </UL> Mon, 06 Oct 2014 17:03:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-filter-out/m-p/153104#M31161 yannK 2014-10-06T17:03:10Z