topic Yet Another Problem Sending Events to the nullQueue in Getting Data In

Yet Another Problem Sending Events to the nullQueue

oreoshake — Fri, 14 May 2010 07:12:13 GMT

We are using "heavy" forwarders, but I have the following config on both the forwarder and the indexer but the events are not being dropped for some reason.

A typical event that we are trying to drop looks like this:

=INFO REPORT==== 14-May-2010::00:00:54 
=== closing TCP connection <0.17671.5> from 10.1.1.1:12345
sourcetype=rabbit

props.conf

[rabbit*]
TRANSFORMS-rabbit=rabbit

transforms.conf

[rabbit]
REGEX=(?m)INFO REPORT
DEST_KEY=queue
FORMAT=nullQueue

The sourcetype is set in inputs.conf, I have removed all references to rabbit in the learned app

Re: Yet Another Problem Sending Events to the nullQueue

Chris_R_ — Wed, 19 May 2010 04:44:06 GMT

Do the "rabbit" results returned in the UI match any in $SPLUNK_HOME/etc/apps/learned/local/props.conf
Occasionally splunk will learn the wrong sourcetype, you can actually delete entries out of the learned props.conf if it does not match the props.conf entries you want.

The sourcetype-too_small entries usually mean the amount of data splunk was trying to learn/create props from was too small in the file, source etc...

Re: Yet Another Problem Sending Events to the nullQueue

oreoshake — Wed, 19 May 2010 05:17:04 GMT

I deleted the entries in etc/app/learned/local/props.conf. Also, the sourcetype originally wasn't set in inputs so it's possible that the learned types were causing my transform to be skipped. I fixed this so the sourcetype is set in inputs.conf but my transform still isn't being applied

Re: Yet Another Problem Sending Events to the nullQueue

oreoshake — Wed, 19 May 2010 05:56:50 GMT

No sourcetype was set in inputs.conf, causing it to be set by props.conf in the learned app, thus ignoring my second props entry that was less specific. After setting the sourcetype in inputs.conf and deleting the entries in the learned app, I had to remove the trailing * to get the transform to be applied.

Re: Yet Another Problem Sending Events to the nullQueue

Chris_R_ — Wed, 19 May 2010 06:17:05 GMT

Ok great, yeah setting the sourcetype in inputs.conf is usually the way to go.