- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Changes to transforms not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changes to transforms not working
I am trying to prune some noise from my logs. Here are my props.conf and transforms.conf. Any Idea what I am missing. The dhcpcd messages are still getting through.
# more props.conf
[source::/var/log/hosts]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
# vi transforms.conf
[sendmailnull]
REGEX = .*sendmail.*$
DEST_KEY = queue
FORMAT = nullQueue
[puppetdnull]
REGEX = .*puppetd.*
DEST_KEY = queue
FORMAT = nullQueue
[setnull]
REGEX = .*dhcpcd.*
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, does the above sendmail stanza really remove all sendmail events?? If so, I will be using it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Did you restart Splunk?
- Are the events you want to filter in just the source "/var/log/hosts"?
- It's really "dhcpcd" and not "dhcpd" you're looking for?
- What does
setparsingcontain? Might it have something that overrides thesetnullsettings?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have a test setup to try this on so I cannot verify how Splunk reacts when you specify a transform that does not exist, however removing the "setparsing" reference in props.conf is definitely one step worth trying.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I restart splunk after each edit. Yes, all of the files are in /var/log/hosts. Yes it is dhcpcd. Here is a sample. Nov 2 14:13:33 STORE00046-BACKUP dhcpcd[3207]: usb0: cannot request a link local address. Setparsing actually is not in use anywhere. I grabbed that config from another example in this forum. That may be part of the problem. I read a reference to inputs.conf somewhere but don't understand the link.
I did notice that when I make the changes the volume does seem to drop (but not disappear completely) that day, then after midnight, it seems to go back up again.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
