Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Changes to transforms not working

steve543
New Member
‎11-02-2011 11:56 AM

I am trying to prune some noise from my logs. Here are my props.conf and transforms.conf. Any Idea what I am missing. The dhcpcd messages are still getting through.

# more props.conf
[source::/var/log/hosts]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
# vi transforms.conf
[sendmailnull]
REGEX = .*sendmail.*$
DEST_KEY = queue
FORMAT = nullQueue

[puppetdnull]
REGEX = .*puppetd.*
DEST_KEY = queue
FORMAT = nullQueue

[setnull]
REGEX = .*dhcpcd.*
DEST_KEY = queue
FORMAT = nullQueue
Tags (1)
0 Karma
Reply

dmacgillivray
Communicator
‎07-29-2014 08:37 AM

Hello, does the above sendmail stanza really remove all sendmail events?? If so, I will be using it.

0 Karma
Reply

Ayn
Legend
‎11-02-2011 12:36 PM
  1. Did you restart Splunk?
  2. Are the events you want to filter in just the source "/var/log/hosts"?
  3. It's really "dhcpcd" and not "dhcpd" you're looking for?
  4. What does setparsing contain? Might it have something that overrides the setnull settings?
0 Karma
Reply

Ayn
Legend
‎11-02-2011 01:21 PM

I don't have a test setup to try this on so I cannot verify how Splunk reacts when you specify a transform that does not exist, however removing the "setparsing" reference in props.conf is definitely one step worth trying.

0 Karma
Reply

steve543
New Member
‎11-02-2011 12:56 PM

Yes, I restart splunk after each edit. Yes, all of the files are in /var/log/hosts. Yes it is dhcpcd. Here is a sample. Nov 2 14:13:33 STORE00046-BACKUP dhcpcd[3207]: usb0: cannot request a link local address. Setparsing actually is not in use anywhere. I grabbed that config from another example in this forum. That may be part of the problem. I read a reference to inputs.conf somewhere but don't understand the link.
I did notice that when I make the changes the volume does seem to drop (but not disappear completely) that day, then after midnight, it seems to go back up again.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...