https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466519#M80366 <PRE><CODE>2020-05-28T14:19:34-04:00 abuhnasfiler01.euc.ppg.com 1 2020-05-28T21:19:34.322906+03:00 abuhnasfiler01 nasuni.7e485ffc-4467-468f-b298-1 11064 8103704790 - {"to_gid": null, "event_type": "AUDIT_SETXATTR", "sequence": 63553546, "pid": 18010, "groupname": "PPGEUR\\domain users", "result": 0, "uid": 80399113, "is_dir": false, "size": null, "timestamp": 1590689974.2567756, "proto": "AUDIT_PROTO_CIFS", "ipaddr": "10.174.100.2", "ts": null, "to": null, "gid": 80001513, "filesize": null, "to_uid": null, "sid": "S-1-5-21-1570054266-39153565-926709054-398113", "tid": 18010, "username": "PPGEUR\\m00990", "path_timestamp": 0.0, "datasync": null, "volume": "7e485ffc-4467-468f-b298-17e52bab439b_0", "offset": null, "path": "/now/Groups/Common/Sales_Tinting/Silviu/Qlik/2015/Ianuarie 2015/Primite/Rapoarte/Total Decembrie 2014/pigment_67559.csv", "newpath": null, "shared_link_key": null, "resource": "BUHGroups$", "name": "user.DOSATTRIB", "length": null, "flags": null, "mode": null} event_type = SETXATTReventtype = nix-all-logshost = abuhnasfiler01.euc.ppg.comindex = nasuni_auditingsource = /syslog-ng/nasuni/abuhnasfiler01.euc.ppg.com/2020-05-28.logsourcetype = nasuni </CODE></PRE> Thu, 28 May 2020 18:29:37 GMT bnichols024 2020-05-28T18:29:37Z https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466517#M80364 <P>I'm having some issues sending specific events to <CODE>nullQueue</CODE>. I want all events from a specific source with the <CODE>event_type=SETXATTR</CODE> sent to <CODE>nullqueue</CODE>. I have this in my props and transforms files that is currently not working:</P> <P>Props.conf</P> <PRE><CODE>[source::/syslog-ng/nasuni/*/*.log] TRANSFORMS-null= setnull </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE>[setnull] REGEX = (?&lt;event_type&gt;SETXATTR) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Also, where exactly on the indexers should these be? I've read some say to put in the <CODE>$SPLUNK_HOME/etc/system/local</CODE> folder and others say to put in the <CODE>$SPLUNK_HOME/etc/apps/myapp/local</CODE> folder.</P> <P>Thanks!</P> Sun, 07 Jun 2020 01:04:35 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466517#M80364 bnichols024 2020-06-07T01:04:35Z https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466518#M80365 <P>Hi,</P> <P>Please check the regex whether it's capturing the data as needed. Please give us a sample event to work it out for you.<BR /> Your props and transforms are correct<BR /> The best practice is to put the conf in your app directory <CODE>$SPLUNK_HOME/etc/apps/myapp/local</CODE>.</P> Thu, 28 May 2020 18:03:13 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466518#M80365 dindu 2020-05-28T18:03:13Z https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466519#M80366 <PRE><CODE>2020-05-28T14:19:34-04:00 abuhnasfiler01.euc.ppg.com 1 2020-05-28T21:19:34.322906+03:00 abuhnasfiler01 nasuni.7e485ffc-4467-468f-b298-1 11064 8103704790 - {"to_gid": null, "event_type": "AUDIT_SETXATTR", "sequence": 63553546, "pid": 18010, "groupname": "PPGEUR\\domain users", "result": 0, "uid": 80399113, "is_dir": false, "size": null, "timestamp": 1590689974.2567756, "proto": "AUDIT_PROTO_CIFS", "ipaddr": "10.174.100.2", "ts": null, "to": null, "gid": 80001513, "filesize": null, "to_uid": null, "sid": "S-1-5-21-1570054266-39153565-926709054-398113", "tid": 18010, "username": "PPGEUR\\m00990", "path_timestamp": 0.0, "datasync": null, "volume": "7e485ffc-4467-468f-b298-17e52bab439b_0", "offset": null, "path": "/now/Groups/Common/Sales_Tinting/Silviu/Qlik/2015/Ianuarie 2015/Primite/Rapoarte/Total Decembrie 2014/pigment_67559.csv", "newpath": null, "shared_link_key": null, "resource": "BUHGroups$", "name": "user.DOSATTRIB", "length": null, "flags": null, "mode": null} event_type = SETXATTReventtype = nix-all-logshost = abuhnasfiler01.euc.ppg.comindex = nasuni_auditingsource = /syslog-ng/nasuni/abuhnasfiler01.euc.ppg.com/2020-05-28.logsourcetype = nasuni </CODE></PRE> Thu, 28 May 2020 18:29:37 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466519#M80366 bnichols024 2020-05-28T18:29:37Z https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466520#M80367 <P>Hi bnichols024, </P> <P>I think your REGEX is incorrect....you made the capture group a named group called event_type, rather than looking for the string. </P> <P>Try this: </P> <PRE><CODE>[setnull] REGEX = (event_type = SETXATTR) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 29 May 2020 14:05:07 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-sending-events-to-nullQueue/m-p/466520#M80367 darrenfuller 2020-05-29T14:05:07Z