Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you sanity check my transforms.conf config?

daniel333
Builder
‎08-07-2019 09:49 AM

All,

Can I have a quick sanity check on this transforms.conf? Basically I want to keep any log which has fatal, critical and error and drop the rest. THEN turn around and drop some of those logs which are "known". 

# transforms.conf

[XYZ_keep]
  REGEX=(?!error)|(?!fatal)|(?!crit)|(?!splunk)
  DEST_KEY=queue
  FORMAT=nullQueue

[XYZ_nullqueue]
  REGEX=priority=INFO app_name=SolrCloud|location=MissingListingAttributeList|JmxHealthCheck
  DEST_KEY=queue
  FORMAT=nullQueue
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-07-2019 03:46 PM

You need something like this in props.conf:

TRANSFORMS-this_string_does_not_matter = XYZ_null_all, XYZ_keep, XYZ_null_some

Then in transforms.conf:

[XYZ_null_all]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[XYZ_keep]
REGEX=(?!error)|(?!fatal)|(?!crit)|(?!splunk)
DEST_KEY=queue
FORMAT=indexQueue

[XYZ_null_some]
REGEX=priority=INFO app_name=SolrCloud|location=MissingListingAttributeList|JmxHealthCheck
DEST_KEY=queue
FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-07-2019 03:47 PM

This will NOT work, it will send everything to nullQueue.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-07-2019 03:46 PM

You need something like this in props.conf:

TRANSFORMS-this_string_does_not_matter = XYZ_null_all, XYZ_keep, XYZ_null_some

Then in transforms.conf:

[XYZ_null_all]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[XYZ_keep]
REGEX=(?!error)|(?!fatal)|(?!crit)|(?!splunk)
DEST_KEY=queue
FORMAT=indexQueue

[XYZ_null_some]
REGEX=priority=INFO app_name=SolrCloud|location=MissingListingAttributeList|JmxHealthCheck
DEST_KEY=queue
FORMAT=nullQueue
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 11:34 AM

I recommend avoiding the double-negative logic in XYZ_keep to prevent mis-understandings by future maintainers. I added the case-insensitive flag to allow for "Error", "ERROR", and "error".

[XYZ_keep]
   REGEX=(?i)(error)|(fatal)|(crit)|(splunk)
   DEST_KEY=queue
   FORMAT=indexQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...