topic Re: Using HEC with props.conf and transforms.conf in Getting Data In

Using HEC with props.conf and transforms.conf

gifkinsju — Thu, 19 Apr 2018 21:39:06 GMT

Hi there,

I'm experiencing difficulty in discarding certain events while they're passing through my heavyweight forwarder layer. I'm attempting to do so using a props.conf and transforms.conf.

The end to end traffic flow is architected in the following manner:

Java log appender -> HEC (based on Heavyweight Forwarder) -> Indexer <-> Search Head

The content of my props.conf is as follows:

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
category = Structured
TRANSFORMS-set = setnull

The content of my transforms.conf is as follows:

[setnull]
REGEX = \"path\":\"\\\/status\”
DEST_KEY = queue
FORMAT = nullQueue

Here's an example of a message of which I'm trying to filter:

{"severity":"INFO","logger":"RL","thread":"omitted","message":{"path":"\/status","requestBody":null,"success":null,"query":null,"errorMessage":null,"startTime":"09:31:03.133","endTime":"09:31:03.133","httpMethod":"GET","operation":"StatusController.status","processingTime":0.0,"statusCode":0},"properties":{"start_time":"1524173463133","ua_family_version":"null.null","os_family":"omitted","customer_number":"omitted","requestID":"omitted","ua_family":"omitted","session_id":null,"device_family":"omitted","client_ip":"omitted","request_id":"omitted","os_family_version":"null.null"}}

After applying the props.conf and transforms.conf I've tried both restarted our Heavyweight Forwarders, as well as using the http://splunk.domain/en-US/debug/refresh/ URL to reload the config, but the logs are still being indexed despite this. This makes me suspect that my props.conf or transforms.conf are incorrectly formatted.

I've also tried completing this configuration directly at the Indexer but this has failed.

Essentially my desired outcome is that I want any message which has the "path" key defined as "/status" to be routed to null, and not be indexed, while all other traffic is indexed successfully.

If there's any assistance that could be offered in resolving this issue it would be greatly appreciated!

Thanks!

Re: Using HEC with props.conf and transforms.conf

laurent_ — Fri, 28 Sep 2018 08:12:19 GMT

Hello,

We got the same problem. I'm still waiting for support to come back on this issue.

Re: Using HEC with props.conf and transforms.conf

gjanders — Fri, 28 Sep 2018 23:14:20 GMT

Please confirm the endpoint you are using to send data to HEC

Are you using /services/collector or /services/collector/event or /services/collector/raw ?

As per the universal forwarder wiki page https://wiki.splunk.com/images/d/da/Splunk_EventProcessing_v19_0_UF_Indexer.png JSON/event data goes via the structured parsing queue, raw data goes via the normal mechanism.

The main diagram https://wiki.splunk.com/File:Splunk_EventProcessing_v19_0_standalone.png has not been updated yet but I can confirm from experience that the props/transforms will not work if your using /services/collector/event

Re: Using HEC with props.conf and transforms.conf

hrawat — Wed, 19 Apr 2023 12:59:51 GMT

If with INDEXED_EXTRACTIONS=JSON, indexed extraction is working intermittently then it's possible that json HEC event payload is more than 512KB. It's known issue for HEC that for indexed extraction `maxEventSize` is not honored hence max json payload is 512KB. Fixed in Splunk 9.0 and above.