I'm trying to filter out unwanted data but it's not working using my current stanzas in props & transforms. However, I was able to filter using the regex and reset the sourcetype so that should rule out an issue with the regex I'm attempting to use..
sample_log for applicationone :
2019-12-03 00:59:57,812 stdout INFO [ajp-/0.0.0.0:8009-16]: Hibernate: select sample.SAMPLE_ID as SAMPLE_ID1_5_, SAMPLE0_.sample_DESCRIPTION as sample_DESCRIPTI2_5_ from sample_SAMPLE functional0_
[applicationone:log] TRANSFORMS-sendtonull = removeDBqueries
[removeDBqueries] REGEX = select\s+.*) DEST_KEY = queue FORMAT = nullQueue
@harsmarvania57 I tried that and it still isn't working. Could it be a problem with the sourcetype I using, does it need to be applied to _raw log data?
Sourcetype should work, and that REGEX will apply to _raw. Have you restarted splunk after changing config? Additionally only new data will go to nullQueue based on REGEX match, old data will stay.
Can you please confirm on which instance you have applied above configuration ? It must be on Indexer or Heavy Forwarder, whichever comes first from Universal Forwarder.
I'm trying this on a single test instance. After I make a change to my configs, I delete the data from the index and restart the instance. I then upload the data again to apply my updated configs against it.
Right now, I'm building the add-on in my single instance test environment.
"applicationone:log" is the name I picked for the data sourcetype.
there was an issue with my REGEX. This did the trick:
REGEX = (SELECT|Select|select)\s+
DEST_KEY = queue
FORMAT = nullQueue