All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does splunk process transforms.conf ?

jeffking
Engager
‎10-10-2013 11:28 AM

Hello, I have a couple of questions -

I have a splunk forwarder with the SCOM app forwarding events to my splunk indexer. I have a lot of events forwarding and noticed that it takes a few hours before the events show up via search. How can I determine if this is due to the indexer still processing events or the forwarder being slow sending the events to the indexer?

I'm trying to cut down on the events by filtering out some unneeded events. I don't need any events from this sourcetype that contain "Failure Code: 0x19". Here's what I put in my props.conf & transforms.com

props.conf:

[SCOM:Events:Security]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
KV_MODE=none
TRANSFORMS-null = setnull

transforms.conf:

[setnull]
REGEX = (?m)^.*Failure\s+Code:\s+0x19.*$
DEST_KEY = queue
FORMAT = nullQueue

How can I tell this is working if the indexer is still processing events? Does it process the event when it indexes or when it receives the event from the forwarder? Does the regex look okay to you?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎10-10-2013 11:48 AM

You can test the regex with a search in the search app.

sourcetype=SCOM:Events:Security | regex _raw=(?m)^.*Failure\s+Code:\s+0x19.*$

The Transforms are processed on the indexer unless the forwarder is a heavy forwarder that is cooking the data in which case it is done on the heavy forwarder.

View solution in original post

Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎10-10-2013 11:48 AM

You can test the regex with a search in the search app.

sourcetype=SCOM:Events:Security | regex _raw=(?m)^.*Failure\s+Code:\s+0x19.*$

The Transforms are processed on the indexer unless the forwarder is a heavy forwarder that is cooking the data in which case it is done on the heavy forwarder.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-10-2013 02:49 PM

You are welcome. Feel free to accept the answer:)

0 Karma
Reply
Solved! Jump to solution

jeffking
Engager
‎10-10-2013 02:30 PM

Thanks for the help, lukejadamec. I set the transform on the heavy forwarder and that seems to do the trick. Also, by stopping the heavy forwarder I noticed events stopped coming into the indexer. So that answers my first question about the bottleneck. It's slow from the forwarder, and adding that nullqueue I believe will help.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-10-2013 12:02 PM

You should put the transform on the heavy forwarder that way if you should make a change in the future to the forwarder function you won't loose this piece.
With transforms, they are done only once - once cooked it cannot be recooked. In other words, you can't transform in both places.

0 Karma
Reply
Solved! Jump to solution

jeffking
Engager
‎10-10-2013 11:57 AM

Thanks. That is how I built the regex query and it works in the search app. The forwarder is a heavy forwarder, but I don't think the SCOM app is cooking the data, just forwarding it. I think I need to do some testing where the transforms.conf is being processed.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...