topic Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"? in Getting Data In

How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

mwilson788 — Tue, 06 Jan 2015 18:00:08 GMT

We are currently using props.conf and transforms.conf to combine all non-internal ingest into a single index on our heavy forwarder (coming from 100s of universal forwarders).

We are doing so with the following config:

props.conf
[default]
TRANSFORMS-index = setdefaultindex

transforms.conf
[setdefaultindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = customindexname

All was working well until we decided to start filtering out all splunkd sourcetype events that contain INFO. It seems they are forwarded on regardless of the filter we put in place due to the config above. Is there a way around this?

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

MuS — Tue, 06 Jan 2015 18:16:43 GMT

Hi, since you only provided the example for the default index, this is hard to solve.
Take a look at the docs about routing and filtering, which contains an example on how to filter events and send them into the darkness of digital universe or the null queue http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues

cheers, MuS

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

mwilson788 — Tue, 06 Jan 2015 18:21:54 GMT

Thank you for your response. Actually, the document you reference is what I've been using to the letter.

The following was added to props.conf for filtering:
[splunkd]
TRANSFORMS-null = setnull

And to transforms.conf:
[setnull]
REGEX = \"INFO\"
DEST_KEY = queue
FORMAT = nullQueue

According to the doc, this should work but, does nothing. Am I overlooking something simple here?

As a side note, I even went so far as to set priority on the stanzas as a test. No luck there either.

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

jayannah — Mon, 28 Sep 2020 18:32:10 GMT

I shall described 2 solutions for your problem-1. However, I do prefer option-1 below.

Option-1: If you don't specify index name in the inputs.conf, then all the events goto the default index. By default, the default index is 'main', but you can configure "customindex" as default index so that all events which arrives without index name in the metadata will go into the "customindex" or default index whatever you configure. Use below below props & transforms just to filter out (drop) INFO events.

props.conf
[default]
TRANSFORMS-index = drop_info_events, send_all_events

transforms.conf
[drop_info_events]
REGEX = INFO
DEST_KEY = queue
FORMAT = nullQueue

[send_all_events]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

option-2: Use below configure where the customer index name is mentioned in the configuration files.

props.conf
[default]
TRANSFORMS-index = setdefaultindex, drop_info_events, send_all_events

transforms.conf
[setdefaultindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = customindexname

[drop_info_events]
REGEX = INFO
DEST_KEY = queue
FORMAT = nullQueue

[send_all_events]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

jayannah — Tue, 06 Jan 2015 18:32:37 GMT

REGEX = "INFO" is exactly match "INFO" with quotes. So, if your event doesn't have quotes around INFO, then use REGEX = INFO

Also, you have user another transforms to forwarder the remaining event. Please the configurations I have explained in the answer.

let me know it works.

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

mwilson788 — Tue, 06 Jan 2015 18:42:12 GMT

I really thought this might work but alas, the events still poor in. It's like the filter is being ignored completely...

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

mwilson788 — Tue, 06 Jan 2015 18:43:23 GMT

I should say Option 2 is the one I tried. I'm afraid I'm unable to change the inputs.conf file on the UFs as mentioned in Option 1 (I agree this would be ideal).

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

jayannah — Tue, 06 Jan 2015 19:03:31 GMT

Did you restart your Heavy forwarder after putting these changes?

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

mwilson788 — Tue, 06 Jan 2015 19:05:31 GMT

Of course. Still tinkering. I appreciate the effort. If you think of anything at all, it would be appreciated.

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

jayannah — Tue, 06 Jan 2015 19:29:20 GMT

Did you remove the double quotes in the REGEX = "INFO" line in props.conf??

Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"?

mwilson788 — Tue, 06 Jan 2015 19:32:17 GMT

I did actually. I just got this to work with a bit of tweaking.

Answer here for others who may have this issue:

props.conf
[default]
TRANSFORMS-index = setdefaultindex, setnull

transforms.conf
[setdefaultindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = indexname

[setnull]
REGEX = INFO
DEST_KEY = queue
FORMAT = nullQueue

This was very close to your solution so I give you all the credit jayannah! Thanks so much!