https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394505#M70429 <P>so after /vcacalog/... I should have 3 dots? </P> Thu, 27 Sep 2018 17:07:55 GMT iatwal 2018-09-27T17:07:55Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394503#M70427 <P>I have these types of logs coming into Splunk today from 3 heavy forwarders (syslog servers) via inputs.conf apps I've deployed from a deployer.</P> <PRE><CODE>Sep 27 07:11:08 hq1acptrvra1202.me.com ea_tomcat: env=ACPT profile=claymore Sep 27 07:11:08 hq1acptrvra1202.me.com ea_tomcat: env=ACPT profile=claymore (nmon) CMD (/etc/nmon-logger/bin/nmon_helper.sh /etc/nmon-logger /var/log/nmon-logger &gt;&gt; /var/log/nmon-logger/nmon_collect.log 2&gt;&amp;1) </CODE></PRE> <P>I want to send all events with "nmon" in them to the Null Queue. I created an app to send out props/tranforms to the Heavy Forwarders and for consistency I sent the same to our cluster of indexers. Logs are still coming in. What are we missing?</P> <P>Source:</P> <PRE><CODE>/vcaclog/ACPT/broker-fad-api/hq1acptrvra0775.me.com/ea_tomcat.log </CODE></PRE> <P>everything segment after /vcaclog/ can be dynamic.</P> <P>props.conf</P> <PRE><CODE>[source::/vcaclog/*] TRANSFORMS-null= setnull-test </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull-test] REGEX = (?m)(nmon) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Thu, 27 Sep 2018 15:56:47 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394503#M70427 iatwal 2018-09-27T15:56:47Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394504#M70428 <P>Try:</P> <PRE><CODE>[source::/vcaclog/...] </CODE></PRE> <P><CODE>*</CODE> doesn't match across <CODE>/</CODE> characters in source.</P> Thu, 27 Sep 2018 16:56:35 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394504#M70428 FrankVl 2018-09-27T16:56:35Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394505#M70429 <P>so after /vcacalog/... I should have 3 dots? </P> Thu, 27 Sep 2018 17:07:55 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394505#M70429 iatwal 2018-09-27T17:07:55Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394506#M70430 <P>Yes..<BR /> please refer this more info-<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/Specifyinputpathswithwildcards">http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/Specifyinputpathswithwildcards</A></P> Thu, 27 Sep 2018 17:22:45 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394506#M70430 493669 2018-09-27T17:22:45Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394507#M70431 <P>Thank you this worked!</P> Thu, 27 Sep 2018 19:22:19 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394507#M70431 iatwal 2018-09-27T19:22:19Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394508#M70432 <P>Glad to hear that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Please mark the answer as accepted, so others can also quickly find this as the correct answer if they stumble upon the same question <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 28 Sep 2018 07:15:56 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-send-events-to-null-queue-from-a-farm-of-heavy/m-p/394508#M70432 FrankVl 2018-09-28T07:15:56Z