Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering logs not working as expected

vimselva
Explorer
‎07-05-2024 02:00 AM

I have tried to solve this problem with all the combinations, but missing some key thing on how to resolve.

I have various logs coming with source pattern as /var/log/containers/*. I would like to drop the DEBUG logs and hence have the following in props.conf:

[source://var/log/containers/*]
TRANSFORMS-null = debug_to_null
and in transforms.conf:
 
[debug_to_null]
REGEX = DEBUG
DEST_KEY = queue
FORMAT = nullQueue
After making the above change, as expected the logs with DEBUG keyword is getting dropped.
 
Now, I would also like to drop logs with another pattern for a particular source pattern under /var/log/containers, so I've updated my props.conf like this:
 
[source::/var/log/containers/*_integration-business*.log]
TRANSFORMS-null = setnull

[source://var/log/containers/*]
TRANSFORMS-null = debug_to_null

 

and updated transforms.conf like this:

[debug_to_null]
REGEX = DEBUG
DEST_KEY = queue
FORMAT = nullQueue

[setnull]
REGEX = NormalizedApiId failed to resolve
DEST_KEY = queue
FORMAT = nullQueue

 

After making this change, I can see only logs with DEBUG keyword is getting dropped, however the logs with NormalizedApiId failed to resolve are still being ingested.

I was hoping that logs with DEBUG keyword from all source paths with /var/log/containers/* pattern will be dropped and NormalizedApiId failed to resolve keyword from a particular source path with /var/log/containers/*_integration-business*.log pattern will be dropped. But seems not working that way.

Please guide me on this.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-05-2024 08:09 AM

Hi

try to change another TRANSFORMS definition to something else like TRANSFORMS-null-ib-log instead of use just TRANSFORS-null twice.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Attributeprecedencewithinafile

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-05-2024 08:09 AM

Hi

try to change another TRANSFORMS definition to something else like TRANSFORMS-null-ib-log instead of use just TRANSFORS-null twice.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Attributeprecedencewithinafile

r. Ismo

Reply
Solved! Jump to solution

vimselva
Explorer
‎07-05-2024 06:35 PM

Thank you @isoutamo , that worked after updating the key.

However, still puzzled on after adding another stanza. My current props.conf:

[source::/var/log/containers/*_integration-business*.log]
TRANSFORMS-int-null = setnull

[source::/var/log/containers/*_0091*.log]
TRANSFORMS-set = allow_all

[source::/var/log/containers/*]
TRANSFORMS-null = debug_to_null

and transforms.conf:

[allow_all]
REGEX = .
DEST_KEY = QUEUE
FORMAT = indexQueue

[setnull]
REGEX = NormalizedApiId failed to resolve
DEST_KEY = queue
FORMAT = nullQueue

[debug_to_null]
REGEX = DEBUG|Debug|debug
DEST_KEY = queue
FORMAT = nullQueue

So I would like to allow any logs including DEBUG keyword from the source pattern /var/log/containers/*_0091*.log, however I see the logs with DEBUG keyword from that particular source pattern is being dropped. Is this even possible to do?

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2024 07:21 AM
Maybe you could utilize that priority attribute with those two sources and use same TRANSFORMS-null attribute with both of those sources? See details from previous doc link.
Reply
Solved! Jump to solution

vimselva
Explorer
‎07-07-2024 04:13 AM

You are great, that worked! Thank you for sharing knowledge.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-05-2024 02:22 AM

Hi @vimselva ,

check in search dashboard if the regex is correct using the regex command:

<your_search>
| regex "NormalizedApiId failed to resolve"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

vimselva
Explorer
‎07-05-2024 06:36 PM

Yes the regex is correct and validated.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...