https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420155#M73993 <P>Have you verified the regex works in a tool like regex101.com?</P> Mon, 08 Oct 2018 20:43:04 GMT kmorris_splunk 2018-10-08T20:43:04Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420154#M73992 <P>I have the universal forwarder pushed out to some Apache web servers that are indexing some access logs. I would like to send events that represent status checks to nullQueue so they are not indexed. Seems like a pretty simple task to accomplish, but inspection of the logs confirms the events are still being indexed. Here is my props/transforms on my indexers:</P> <P>Here is a sample event:<BR /> <STRONG>10.10.10.10 - - [08/Oct/2018:14:51:33 -0500] "GET /heartbeat_flow HTTP/1.1" 200 7 "-" "-" - -</STRONG></P> <P>Here is my props/transforms on my indexers:<BR /> <STRONG>[access_combined]<BR /> TRANSFORMS-SendHealthChecksToNull = SendHealthChecksToNull1,SendHealthChecksToNull2</STRONG></P> <P><STRONG>[SendHealthChecksToNull1]<BR /> REGEX = GET (?:\/.*)?\/(?:DateServlet|dateservlet.ashx|ping)\/? HTTP\/1.1<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</STRONG></P> <P><STRONG>[SendHealthChecksToNull2]<BR /> REGEX = GET (?:\/secure\/webmon\/monitor.html|\/heartbeat_flow|\/wps\/portal\/dpath\/monitor|\/webmon\/test.html|\/mf_monitor|\/applicationDBcheck.php|\/check.txt) HTTP\/1.1<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</STRONG></P> <P>What am I doing wrong?</P> Tue, 29 Sep 2020 21:34:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420154#M73992 _smp_ 2020-09-29T21:34:30Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420155#M73993 <P>Have you verified the regex works in a tool like regex101.com?</P> Mon, 08 Oct 2018 20:43:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420155#M73993 kmorris_splunk 2018-10-08T20:43:04Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420156#M73994 <P>Yep, I have. It matches.</P> Mon, 08 Oct 2018 20:51:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420156#M73994 _smp_ 2018-10-08T20:51:17Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420157#M73995 <P>can you try first only one like below to check if it is working-<BR /> in props.conf</P> <PRE><CODE>[access_combined] TRANSFORMS-SendHealthChecksToNull = SendHealthChecksToNull2 </CODE></PRE> <P>in transforms.conf -</P> <PRE><CODE>[SendHealthChecksToNull2] REGEX = GET\s\/(secure|webmon|monitor\.html|heartbeat_flow|wps|portal|dpath|monitor|test\.html|mf_monitor|applicationDBcheck\.php|check\.txt)\sHTTP\/1.1 DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Tue, 09 Oct 2018 04:29:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420157#M73995 493669 2018-10-09T04:29:45Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420158#M73996 <P>Hi scottprigge,<BR /> have you an Heavy Forwarder between Universal Forwarder and Indexers?<BR /> if yes, you have to put your filter on the Heavy Forwarder.<BR /> Bye.<BR /> Giuseppe</P> Tue, 09 Oct 2018 07:49:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420158#M73996 gcusello 2018-10-09T07:49:21Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420159#M73997 <P>No, there is no HF in play. It's just UF on the web servers forwarding to the indexers.</P> Tue, 09 Oct 2018 12:21:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420159#M73997 _smp_ 2018-10-09T12:21:59Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420160#M73998 <P>@scottprigge, have you tried this on indexer?</P> Tue, 09 Oct 2018 12:33:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420160#M73998 493669 2018-10-09T12:33:03Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420161#M73999 <P>Ok,<BR /> so try to have two different commands in props.conf:</P> <PRE><CODE>[access_combined] TRANSFORMS-SendHealthChecksToNull1 = SendHealthChecksToNull1 TRANSFORMS-SendHealthChecksToNull2 = SendHealthChecksToNull2 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 09 Oct 2018 12:35:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420161#M73999 gcusello 2018-10-09T12:35:57Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420162#M74000 <P>Yes, all the config I referenced is on the indexer.</P> Tue, 09 Oct 2018 12:39:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420162#M74000 _smp_ 2018-10-09T12:39:57Z https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420163#M74001 <P>The issue was using a space instead of \s in the REGEX stanza. Thanks for the post!</P> Tue, 09 Oct 2018 12:41:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-come-Apache-web-server-logs-being-sent-to-nullQueue-are/m-p/420163#M74001 _smp_ 2018-10-09T12:41:24Z