Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to list all regexp in a stanza that alter the key QUEUE to nullQueue

Masterbaker
Explorer
‎11-10-2017 12:45 PM

Hi! I'm using props.conf and transforms.conf (directly on my indexer) to prevent specific events from being indexed by Splunk, to save disk space and keep our licensing costs low.

Example transforms.conf : 

[discard_useless_stuff]
REGEX=my_regexp_to_match_unwanted_events
DEST_KEY = queue
FORMAT = nullQueue

I'd like to provide my end users with a dashboard / report that shows them all the stuff that is getting discarded that way so they can look up that search before bugging me for assistance.

Question : Is there a query I could use from splunkweb to list all of the regexps that are in a stanza that is altering the key QUEUE to nullQueue?
Bonus points : Any way to get a metric showing the number of events discarded using this method?
Triple bonus points : Same questions, but when stuff gets discarded on a heavy forwarder?

Thanks!

0 Karma
Reply

somesoni2
Revered Legend
‎11-10-2017 01:47 PM

Answer 1: With your transforms.conf entry to filter events are kept in Indexers and Indexers are added as search peer to your Search Heads, run this from your search head to get list of REGEXes.

| rest /services/configs/conf-transforms | search DEST_KEY=queue FORMAT=nullQueue | dedup id

To get the same info from Intermediate Forwarders, you need to add them (or one of them) as search peer to your search head (or instance from which you'd run this query).

Answer 2: This will give you a rough metrics about number of events discarded (uses the nullqueue metrics logs showing nullqueue sizes).

index=_internal sourcetype=splunkd component=Metrics group=queue name=nullqueue current_size>0 | stats sum(current_size) as Discarded_events

This should work for both Indexes are Intermediate forwarders (as long as internal logs are being forwarded to indexes).

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...