https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108274#M28156 <P>Are you sure this configuration is in the right place? See <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Configurationparametersandthedatapipeline">http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Configurationparametersandthedatapipeline</A></P> Wed, 31 Oct 2012 06:14:16 GMT gkanapathy 2012-10-31T06:14:16Z https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108273#M28155 <P>Hi,</P> <P>I have looked at the docs and tried to remove a line from nginx access log regarding our LB :</P> <PRE><CODE>192.168.27.169 - - [30/Oct/2012:23:02:53 +0000] "GET /node/lbtest.txt HTTP/1.0" 200 9 "-" "HTTP-Monitor/1.1" "-" </CODE></PRE> <P>and </P> <PRE><CODE>Started GET "/node/lbtest.txt" for 127.0.0.1 at 2012-10-30 23:55:58 +0000 Processing by HealthCheckController#lbtest as TXT </CODE></PRE> <P>Here is my <CODE>props.conf</CODE> :</P> <PRE><CODE>[sourcetype::access_combined_wcookie] TRANSFORMS-ignore=ignore [sourcetype::production-2] TRANSFORMS-null=setnull [sourcetype::access_combined_wcookie] TRANSFORMS-null2=nukefromorbit [host::app*] SEDCMD-health = s/lbtest/DEVOPS/g </CODE></PRE> <P>Please note that <CODE>production-2</CODE>, <CODE>access_combined_wcookie</CODE> sourcetypes parse Nginx logs. </P> <P>The host sending the event is <CODE>app-05</CODE>.</P> <P>Here is my <CODE>transforms.conf</CODE> :</P> <PRE><CODE>[ignore] REGEX = (?m)*lbtest* DEST_KEY = queue FORMAT = nullQueue [setnull] REGEX = lbtest|HealthCheckController DEST_KEY = queue FORMAT = nullQueue [nukefromorbit] REGEX = * DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This conf is obviously destructive by nature (as in, way beyond removing this lbtest line, mix-n-matching), as I've tried anything possible to remove this line from the logs.</P> <P>I have restarted splunk forwarder and I'm running out of solutions.</P> <P>Thank you in advance.</P> Wed, 31 Oct 2012 00:01:40 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108273#M28155 scalp42 2012-10-31T00:01:40Z https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108274#M28156 <P>Are you sure this configuration is in the right place? See <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Configurationparametersandthedatapipeline">http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Configurationparametersandthedatapipeline</A></P> Wed, 31 Oct 2012 06:14:16 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108274#M28156 gkanapathy 2012-10-31T06:14:16Z https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108275#M28157 <P>I'm pretty sure it is :</P> <P><CODE>Parsing</CODE></P> <PRE><CODE>props.conf LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings TZ, DATETIME_CONFIG, TIME_FORMAT, TIME_PREFIX, and all other time extraction settings and rules TRANSFORMS* which includes per-event queue filtering, per-event index assignment, per-event routing. Applied in the order defined SEDCMD* MORE_THAN*, LESS_THAN* transforms.conf` stanzas referenced by a TRANSFORMS* clause in props.conf </CODE></PRE> Wed, 31 Oct 2012 18:18:47 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108275#M28157 scalp42 2012-10-31T18:18:47Z https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108276#M28158 <P>I guess my point was, is it on the right server?</P> Wed, 31 Oct 2012 18:53:03 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108276#M28158 gkanapathy 2012-10-31T18:53:03Z https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108277#M28159 <P>I think it has to be on the forwarder/nginx host.</P> Wed, 31 Oct 2012 23:13:15 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-replace-a-healthcheck-string-in-nginx/m-p/108277#M28159 scalp42 2012-10-31T23:13:15Z