In /var/log/messages on numerous machines I have the following messages:
Jun 13 19:55:34 hostabc snmpd: Received SNMP packet(s) from UDP: [p.q.r.s]:46999 Jun 13 19:55:34 hostabc snmpd: Connection from UDP: [p.q.r.s]:46999
I just want to eradicate these particular messages. I Ideally, I would like to not have them forwarded from to the indexers in the first place, but as a first goal I just want to stop them being indexed.
Taking my cues from Splunk online docs I have made config additions on both the indexers:
[source::/var/log/messages] TRANSFORMS-null= ditchCacti
[ditchCacti] REGEX = from UDP: \[p.q.r.s\]: DEST_KEY = queue FORMAT = nullQueue
Splunk has been restarted, but the offending messages continue to be indexed.
Am I on the right track, or have I completely misunderstood something?
You are on the right track but the regex is not matching. The periods in p.q.r.s need to be escaped and account for the spaces. I think this should work for you.
REGEX = from\sUDP:\s\[p\.q\.r\.s\]:
The configs are indeed on the indexers.
It is only specific messages I want to lose, so diverting an entire sourcetype to the black hole is not suitable. (As you might guess - only the Cacti polling. Any other unexpected SNMP I want to see.)
You may try routing based on sourcetype. Whatever sourcetype you have configured in inputs.conf. Try that in props.conf instead of the source.