All Apps and Add-ons

Not able to filter nagios:core logs after ingestion

kishor_pinjarka
Path Finder

Hi,

I am able to see logs ingested into Splunk, however, not able to to filter nagios:core logs. Also not able to see _raw field. Please see attached image.

Input stanza used on UF:

@### local]# cat inputs.conf

[monitor:///usr/local/nagios/var/nagios.log]
index=nagios
sourcetype = nagios:core

alt text

0 Karma
1 Solution

gcusello
Legend

Hi @kishor_pinjarkar_ebay,
to filter logs, you have to configure props and transfroms on Indexers or (when present) Heavy Forwarders:
In props.conf, set the TRANSFORMS-null attribute:

[nagios:core]
TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Find the regex to find the events to discard, set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = regex to filter
DEST_KEY = queue
FORMAT = nullQueue

For more information see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad

Ciao.
Giuseppe

View solution in original post

gcusello
Legend

Hi @kishor_pinjarkar_ebay,
to filter logs, you have to configure props and transfroms on Indexers or (when present) Heavy Forwarders:
In props.conf, set the TRANSFORMS-null attribute:

[nagios:core]
TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Find the regex to find the events to discard, set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = regex to filter
DEST_KEY = queue
FORMAT = nullQueue

For more information see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad

Ciao.
Giuseppe

kishor_pinjarka
Path Finder

Sorry to mention you that, filtering is not working in Search.

Means when I write index=### sourcetype=### "keyword for filter"
then I am not able to see anything even though those keywords are present in logs.

Let me know if you need more details. And thank you for your response.

0 Karma

gcusello
Legend

Hi @kishor_pinjarkar_ebay,
what search mode are you using? you have to use Verbose.

Ciao.
Giuseppe

0 Karma

kishor_pinjarka
Path Finder

Yes, I tried that earlier. However, same results.

0 Karma

gcusello
Legend

Hi @kishor_pinjarkar_ebay,
what's the behaviour adding search terms one by one, eventually using the Splunk features?

  • start from index=nagios,
  • and then choose the sourcetype by Interesting fields panel,
  • then choose the keywords clicking on them one by one and adding to the search

Ciao.
Giuseppe

0 Karma

kishor_pinjarka
Path Finder

Yes, like that it's working 🙂

However, why I am not able to see _raw event when I am expanding the event from right hand side? Any idea?

0 Karma

gcusello
Legend

Hi @kishor_pinjarkar_ebay,
you don't see _raw in the fields list, to have _raw, you have to select the Raw mode in the button over i and Time and on the left of Format.

If this answer solves your question, please accept and/or upvote it.

Ciao and next time.
Giuseppe

0 Karma

kishor_pinjarka
Path Finder

Thank you 🙂

0 Karma

gcusello
Legend

You're welcome!
Ciao and next time.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...