- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Having trouble with log filtering
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am running into trouble with filtering logs before they are handed off to the indexer. Right now, my setup is that a I am co-hosting an rsyslog daemon on the same box that holds Splunk. The reason for that is that I want to retain all original logs coming in via syslog, but only a subset should go into Splunk.
My concept was that I have the syslogs deposited in a directory and have Splunk monitor that. Using these instructions, I set up props.conf and transforms.conf as follows:
# cat props.conf
[source::/var/log/remote/log1.log]
TRANSFORMS-wireless = setnull,setparsing
# cat transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Assoc success|User Authentication
DEST_KEY = queue
FORMAT = indexQueue
However, when I activate the log file, data starts pouring into Splunk, without filtering, and quickly running through my license. I did run an "|extract reload=true" search to make sure that the new configurations were loaded before I tested.
The regular expression appears to be correct, as confirmed by a quick grep -E on the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| extract reload=true is not valid for reloading index-time settings - and in fact, as far as I know it's not needed for reloading search-time settings nowadays either, so I doubt there is ever a situation now when running | extract reload=true changes anything.
To activate changes that you've made to index-time settings, you need to restart Splunk.
Also you're saying that you want to perform filtering before logs are handed off to the indexer. Does this mean you're attempting to perform this filtering on a forwarder of some kind? Light forwarders (such as the Universal Forwarder, or a Light Forwarder) do not perform this kind of filtering - it needs to go on the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| extract reload=true is not valid for reloading index-time settings - and in fact, as far as I know it's not needed for reloading search-time settings nowadays either, so I doubt there is ever a situation now when running | extract reload=true changes anything.
To activate changes that you've made to index-time settings, you need to restart Splunk.
Also you're saying that you want to perform filtering before logs are handed off to the indexer. Does this mean you're attempting to perform this filtering on a forwarder of some kind? Light forwarders (such as the Universal Forwarder, or a Light Forwarder) do not perform this kind of filtering - it needs to go on the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the feedback; the online documentation could do with some improvement on this one 🙂 The help pages for props.conf mention in several places that an |extract reload=T should work. Restarting Splunk did indeed do the trick.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
