topic Re: Ignore Events from Mutiple Sources in Splunk Search

Ignore Events from Mutiple Sources

chrisboy68 — Wed, 20 May 2015 10:32:30 GMT

Hi,

I have multiple sources to one sourcetype. I'm trying to drop events and my props and transforms work fine by the sourcetype. However, I want to have different rules by sourcetype.

in Props.conf

[source::MyLogService*.log] 
TRANSFORMS-grtrash2 = eliminate-debug

in Transform.conf

[eliminate-debug]
REGEX = (?m)-\s*DEBUG\s*-
DEST_KEY = queue
FORMAT = nullQueue

I've tried different combinations of defining the "source" and props.conf and nothing is working. Real source looks like:
\server\logfolder\MyLogService150520-01.log

Any ideas?

Thank you!

Chris

Re: Ignore Events from Mutiple Sources

chrisboy68 — Wed, 20 May 2015 13:47:33 GMT

I also changed the source to a full regex. Tested the regex is working correctly. Still not applying the Transforms. I can only get the Transforms to work by using the the sourcetype, baffled with source is not working.

In Props:

[source::.server\d+.folder\$.MyLogService\d+-\d+\.log]  
TRANSFORMS-grtrash = setnull , setparsing, badError, badError2

The source:
\server001\folder$\MyLogService150515-03.log

Thanks

Chris

Re: Ignore Events from Mutiple Sources

woodcock — Wed, 20 May 2015 14:12:21 GMT

Your RegEx is wrong:

[source::.*server\d+folder\$MyLogService\d+-\d+\.log]

Re: Ignore Events from Mutiple Sources

chrisboy68 — Wed, 20 May 2015 14:52:45 GMT

Thanks, I tried that and its still not working. This was a typo with me masking the real text. I validate my regex here: https://regex101.com/#python to make sure my entire source is captured.

Baffled....

Chris

Re: Ignore Events from Mutiple Sources

woodcock — Wed, 20 May 2015 15:12:48 GMT

The documentation says this:

Match expressions must match the entire name, not just a substring. If you are familiar
with regular expressions, match expressions are based on a full implementation of PCRE with the
translation of ..., * and . Thus . matches a period, * matches non-directory separators,
and ... matches any number of any characters.

For more information see the wildcards section at:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

And the referenced like says this:

Important: Input path specifications in inputs.conf don't use regular expressions (regexes) but rather Splunk-defined wildcards.

So I think it needs to be like this:

 [source::.../server\d+folder\$MyLogService\d+-\d+\.log]

Re: Ignore Events from Mutiple Sources

chrisboy68 — Wed, 20 May 2015 16:39:48 GMT

Driving me batty,

With the source name of :
\server001\folder$\MyLogService150515-03.log

I did:
[source::\\server001\folder$\MyLogService*.log]

Still no go. grrr.

Chris

Re: Ignore Events from Mutiple Sources

woodcock — Wed, 20 May 2015 16:43:10 GMT

Try the FULL PATH with literal filename (no RegEx) and work backwards from there.