Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you sanity check my transforms.conf config?

daniel333
Builder
‎08-07-2019 09:49 AM

All,

Can I have a quick sanity check on this transforms.conf? Basically I want to keep any log which has fatal, critical and error and drop the rest. THEN turn around and drop some of those logs which are "known". 

# transforms.conf

[XYZ_keep]
  REGEX=(?!error)|(?!fatal)|(?!crit)|(?!splunk)
  DEST_KEY=queue
  FORMAT=nullQueue

[XYZ_nullqueue]
  REGEX=priority=INFO app_name=SolrCloud|location=MissingListingAttributeList|JmxHealthCheck
  DEST_KEY=queue
  FORMAT=nullQueue
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-07-2019 03:46 PM

You need something like this in props.conf:

TRANSFORMS-this_string_does_not_matter = XYZ_null_all, XYZ_keep, XYZ_null_some

Then in transforms.conf:

[XYZ_null_all]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[XYZ_keep]
REGEX=(?!error)|(?!fatal)|(?!crit)|(?!splunk)
DEST_KEY=queue
FORMAT=indexQueue

[XYZ_null_some]
REGEX=priority=INFO app_name=SolrCloud|location=MissingListingAttributeList|JmxHealthCheck
DEST_KEY=queue
FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-07-2019 03:47 PM

This will NOT work, it will send everything to nullQueue.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-07-2019 03:46 PM

You need something like this in props.conf:

TRANSFORMS-this_string_does_not_matter = XYZ_null_all, XYZ_keep, XYZ_null_some

Then in transforms.conf:

[XYZ_null_all]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[XYZ_keep]
REGEX=(?!error)|(?!fatal)|(?!crit)|(?!splunk)
DEST_KEY=queue
FORMAT=indexQueue

[XYZ_null_some]
REGEX=priority=INFO app_name=SolrCloud|location=MissingListingAttributeList|JmxHealthCheck
DEST_KEY=queue
FORMAT=nullQueue
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 11:34 AM

I recommend avoiding the double-negative logic in XYZ_keep to prevent mis-understandings by future maintainers. I added the case-insensitive flag to allow for "Error", "ERROR", and "error".

[XYZ_keep]
   REGEX=(?i)(error)|(fatal)|(crit)|(splunk)
   DEST_KEY=queue
   FORMAT=indexQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...