https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446380#M77643 <P>I was missing a <CODE>Lookahead</CODE>, because my <CODE>Content</CODE> is positioned beyond the <CODE>4096</CODE> characters which is the default value for lookahead.<BR /> Thank you for your answers!</P> Sat, 08 Sep 2018 02:21:47 GMT amiftah 2018-09-08T02:21:47Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446375#M77638 <P>Hello,</P> <P>I want to discard events that contain a string "<STRONG>Content</STRONG>", the following doesnt work, because I still see events with <STRONG>Content</STRONG> after I restarted and re-indexed:</P> <P><STRONG><EM>transforms.conf</EM></STRONG><BR /> <CODE>[allNullQueue]</CODE><BR /> <CODE>REGEX = Content</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE></P> <P><STRONG><EM>props.conf</EM></STRONG><BR /> <CODE>[mysrctype]</CODE><BR /> <CODE>TRANSFORMS-setnull = allNullQueue</CODE></P> <P>I tried this in a standalone env, version <CODE>7.0.3</CODE> and <CODE>7.1.2</CODE> <BR /> I can't find out where the problem is coming from.</P> <P>Any clue?<BR /> Thanks</P> Fri, 07 Sep 2018 16:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446375#M77638 amiftah 2018-09-07T16:30:49Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446376#M77639 <P>I think only @micahkemp can help here. :horse:</P> Fri, 07 Sep 2018 16:39:06 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446376#M77639 horsefez 2018-09-07T16:39:06Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446377#M77640 <P>Hi, do you have the same <CODE>TRANSFORMS-setnull</CODE> class defined elsewhere apart from the props.conf in question? You can check this by running a btool on your props <CODE>splunk btool props list --debug | grep 'TRANSFORMS'</CODE>.</P> Fri, 07 Sep 2018 16:40:57 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446377#M77640 sudosplunk 2018-09-07T16:40:57Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446378#M77641 <P>this is Splunk Enterprise and not a universal forwarder correct?</P> Fri, 07 Sep 2018 17:47:11 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446378#M77641 marycordova 2018-09-07T17:47:11Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446379#M77642 <OL> <LI>must be Splunk Enterprise (not Universal Forwarder)</LI> <LI><CODE>props.conf</CODE> should reference source not sourcetype</LI> <LI><P><CODE>props.conf</CODE> TRANSFORMS class and stanza name should be unique across deployment, not just specific config file</P> <P>props.conf<BR /> [source::/mysource/example/*.csv]<BR /> TRANSFORMS-setnull = allNullQueue</P> <P>transforms.conf<BR /> [allNullQueue]<BR /> REGEX = Content<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P></LI> </OL> Fri, 07 Sep 2018 17:55:58 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446379#M77642 marycordova 2018-09-07T17:55:58Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446380#M77643 <P>I was missing a <CODE>Lookahead</CODE>, because my <CODE>Content</CODE> is positioned beyond the <CODE>4096</CODE> characters which is the default value for lookahead.<BR /> Thank you for your answers!</P> Sat, 08 Sep 2018 02:21:47 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446380#M77643 amiftah 2018-09-08T02:21:47Z https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446381#M77644 <P>hi @amiftah,</P> <P>It looks like you figured out how to solve your problem. Would you mind approving your answer so that others can better see your solution?</P> <P>Thanks!</P> Tue, 11 Sep 2018 16:51:13 GMT https://community.splunk.com/t5/Getting-Data-In/Transforms-why-is-nullQueue-not-working/m-p/446381#M77644 mstjohn_splunk 2018-09-11T16:51:13Z