Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Changes to transforms not working

steve543
New Member
‎11-02-2011 11:56 AM

I am trying to prune some noise from my logs. Here are my props.conf and transforms.conf. Any Idea what I am missing. The dhcpcd messages are still getting through.

# more props.conf
[source::/var/log/hosts]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
# vi transforms.conf
[sendmailnull]
REGEX = .*sendmail.*$
DEST_KEY = queue
FORMAT = nullQueue

[puppetdnull]
REGEX = .*puppetd.*
DEST_KEY = queue
FORMAT = nullQueue

[setnull]
REGEX = .*dhcpcd.*
DEST_KEY = queue
FORMAT = nullQueue
Tags (1)
0 Karma
Reply
Highlighted

Re: Changes to transforms not working

Ayn
Legend
‎11-02-2011 12:36 PM
  1. Did you restart Splunk?
  2. Are the events you want to filter in just the source "/var/log/hosts"?
  3. It's really "dhcpcd" and not "dhcpd" you're looking for?
  4. What does setparsing contain? Might it have something that overrides the setnull settings?
0 Karma
Reply
Highlighted

Re: Changes to transforms not working

steve543
New Member
‎11-02-2011 12:56 PM

Yes, I restart splunk after each edit. Yes, all of the files are in /var/log/hosts. Yes it is dhcpcd. Here is a sample. Nov 2 14:13:33 STORE00046-BACKUP dhcpcd[3207]: usb0: cannot request a link local address. Setparsing actually is not in use anywhere. I grabbed that config from another example in this forum. That may be part of the problem. I read a reference to inputs.conf somewhere but don't understand the link.
I did notice that when I make the changes the volume does seem to drop (but not disappear completely) that day, then after midnight, it seems to go back up again.

0 Karma
Reply
Highlighted

Re: Changes to transforms not working

Ayn
Legend
‎11-02-2011 01:21 PM

I don't have a test setup to try this on so I cannot verify how Splunk reacts when you specify a transform that does not exist, however removing the "setparsing" reference in props.conf is definitely one step worth trying.

0 Karma
Reply
Highlighted

Re: Changes to transforms not working

dmacgillivray
Communicator
‎07-29-2014 08:37 AM

Hello, does the above sendmail stanza really remove all sendmail events?? If so, I will be using it.

0 Karma
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.