Strip lines from Logs before Indexing in Splunk Cloud

schua — Wed, 30 Sep 2020 05:26:40 GMT

Hi,

I have an Apache instance with Splunk Forwarder installed that sends logs to Splunk Cloud directly (no heavy forwarders).

In the /var/log/httpd/error_logs, we have tons of entries from our load balancer to check the status:
[Thu May 14 12:11:42.799506 2020] [rewrite:trace2] [pid 26491:tid mod_rewrite.c(470): [client 10.2.35.111:29429] 10.2.35.111 - - [10.2.35.111/sid#559b685a5a10][rid#559b689f9aa0/initial] init rewrite engine with requested uri /en/healthcheck.html

How do I exclude this before going to Splunk Cloud Indexer?

I tried adding props.conf and transforms.conf under /opt/splunkforwarder/etc/system/local/ but did not work.

props.conf
[source::/var/log/httpd/error_log]
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = rewrite
DEST_KEY = queue
FORMAT = nullQueue

for REGEX, i also tried
healthcheck.html
\/en\/healthcheck.html

Thanks,
Sherwin

Re: Strip lines from Logs before Indexing in Splunk Cloud

PavelP — Thu, 14 May 2020 16:40:15 GMT

Hello @schua,

nullQueue work only on a Splunk instance which first parses/indexes events. UF doesn't parse events, so you need to apply this config on HF or Indexer

topic Re: Strip lines from Logs before Indexing in Splunk Cloud in Getting Data In

Strip lines from Logs before Indexing in Splunk Cloud

Re: Strip lines from Logs before Indexing in Splunk Cloud