Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Changes to transforms not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changes to transforms not working
steve543
New Member
11-02-2011
11:56 AM
I am trying to prune some noise from my logs. Here are my props.conf and transforms.conf. Any Idea what I am missing. The dhcpcd messages are still getting through.
# more props.conf
[source::/var/log/hosts]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
# vi transforms.conf
[sendmailnull]
REGEX = .*sendmail.*$
DEST_KEY = queue
FORMAT = nullQueue
[puppetdnull]
REGEX = .*puppetd.*
DEST_KEY = queue
FORMAT = nullQueue
[setnull]
REGEX = .*dhcpcd.*
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmacgillivray
Communicator
07-29-2014
08:37 AM
Hello, does the above sendmail stanza really remove all sendmail events?? If so, I will be using it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
11-02-2011
12:36 PM
- Did you restart Splunk?
- Are the events you want to filter in just the source "/var/log/hosts"?
- It's really "dhcpcd" and not "dhcpd" you're looking for?
- What does
setparsingcontain? Might it have something that overrides thesetnullsettings?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
11-02-2011
01:21 PM
I don't have a test setup to try this on so I cannot verify how Splunk reacts when you specify a transform that does not exist, however removing the "setparsing" reference in props.conf is definitely one step worth trying.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
steve543
New Member
11-02-2011
12:56 PM
Yes, I restart splunk after each edit. Yes, all of the files are in /var/log/hosts. Yes it is dhcpcd. Here is a sample. Nov 2 14:13:33 STORE00046-BACKUP dhcpcd[3207]: usb0: cannot request a link local address. Setparsing actually is not in use anywhere. I grabbed that config from another example in this forum. That may be part of the problem. I read a reference to inputs.conf somewhere but don't understand the link.
I did notice that when I make the changes the volume does seem to drop (but not disappear completely) that day, then after midnight, it seems to go back up again.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
