topic Re: REGEX for nullQueue in transforms.conf in Splunk Search

REGEX for nullQueue in transforms.conf

asarolkar — Mon, 02 Jul 2012 22:44:04 GMT

We have a certain logfile (tied to sourcetype: syslog) inbound from a forwarder which has THIS line in it:

2012-07-02 15:29:52,190 DEBUG [http-0.0.0.0-8080-3]   LoggingFilter - url=[/healthCheck/status],

We want to filter out any events ON THE INDEXER SIDE that have this content -> /healthCheck/status.

We tried making the following changes to :

i) $SPLUNK_HOME/etc/system/local/props.conf

[sourcetype::syslog]
TRANSFORMS-null=ignore

and then over at

ii) $SPLUNK_HOME/etc/system/local/transforms.conf

[ignore]
REGEX=healthCheck
DEST_Key=queue
FORMAT=nullQueue

However that does not seem to work and I am certain its because the REGEX is not setup correctly.

I have tried the following alternatives that do not work out either:

1. REGEX= \[(healthCheck)\]
 2. REGEX= (^m)(healthCheck)
 3. REGEX= \healthCheck\status
4. REGEX= ^\S+\s+(?<healthCheck>\S+)

~~~

Also, is it likely that the changes ought to made to the props.conf and transforms.conf which resides at $SPLUNK_HOME/etc/apps/search/local instead ? Any suggestions ?

Re: REGEX for nullQueue in transforms.conf

lguinn2 — Mon, 02 Jul 2012 22:48:48 GMT

This regex should match /healthCheck/status

REGEX=/healthCheck/status

None of these characters are special characters to regex. If you want to match [/healthCheck/status], then this should do it

REGEX=\[/healthCheck/status]

If neither of these works, then perhaps the problem is elsewhere. For example it is not

DEST_Key=queue

But

DEST_KEY=queue

So check your transforms.conf and props.conf very carefully. Of course, perhaps that was just a typo in your question here, not in the original file...

HTH

Re: REGEX for nullQueue in transforms.conf

asarolkar — Mon, 02 Jul 2012 23:17:19 GMT

I take that back it worked out indeed !