I'm trying to filter out unwanted data but it's not working using my current stanzas in props & transforms. However, I was able to filter using the regex and reset the sourcetype so that should rule out an issue with the regex I'm attempting to use..
sample_log for applicationone :
2019-12-03 00:59:57,812 stdout INFO [ajp-/0.0.0.0:8009-16]: Hibernate: select sample.SAMPLE_ID as SAMPLE_ID1_5_, SAMPLE0_.sample_DESCRIPTION as sample_DESCRIPTI2_5_ from sample_SAMPLE functional0_
props.conf
[applicationone:log]
TRANSFORMS-sendtonull = removeDBqueries
transforms.conf
[removeDBqueries]
REGEX = select\s+.*)
DEST_KEY = queue
FORMAT = nullQueue
Fix this:
REGEX = select\s+.*\)
there was an issue with my REGEX. This did the trick:
REGEX = (SELECT|Select|select)\s+
DEST_KEY = queue
FORMAT = nullQueue
Hi @johnward4,
two questions:
Ciao.
Giuseppe
Right now, I'm building the add-on in my single instance test environment.
"applicationone:log" is the name I picked for the data sourcetype.
Can you please remove bracket from REGEX and check ? Like REGEX = select\s+.*
@harsmarvania57 I tried that and it still isn't working. Could it be a problem with the sourcetype I using, does it need to be applied to _raw log data?
Can you please confirm on which instance you have applied above configuration ? It must be on Indexer or Heavy Forwarder, whichever comes first from Universal Forwarder.
I'm trying this on a single test instance. After I make a change to my configs, I delete the data from the index and restart the instance. I then upload the data again to apply my updated configs against it.
Sourcetype should work, and that REGEX will apply to _raw. Have you restarted splunk after changing config? Additionally only new data will go to nullQueue based on REGEX match, old data will stay.