Hi,
I have a query which filters data in the Splunk search, I want to send the data returned from this query to null queue
I understand that props and transforms needs to be configured, but how about using this filter criteria to be used in the transforms?
index=abc sourcetype=Vserver k=set-collation v.collation = "charset=0x0 root (LROOT)"
All the events for this query needs to be routed to null queue
I don't believe this is possible through search. If you are using a search to grab events those events have already been indexed. The nullqueue has to take place before indexing using props and transforms.
props.conf
[Vserver]
TRANSFORMS-null = setnull
Transforms.conf
[setnull]
REGEX = <your regex to capture events>
DEST_KEY = queue
FORMAT = nullQueue
It would have to be a regex to filter the unwanted events which you should be able to create in a way that match that search query. Some examples of events to nullqueue and events to keep would help construct that regex.
@mdsnmss, @athorat -
Correct, to accomplish this at index time it's going to be something like this...
Transforms.conf
[setnull]
REGEX = charset=0x0 root \(LROOT\)
SOURCE_KEY = v.collation
DEST_KEY = queue
FORMAT = nullQueue
I'm not certain, however, what the situation might be with regard to extracting the field v.collation. You either have to make sure that the rule runs after that field exists, or you need to change the REGEX and SOURCE_KEY so that they catch the pre-extraction field and value.
index=abc sourcetype=Vserver k=set-collation v.collation = "charset=0x0 root (LROOT)"
Event
{ [-]
k: set-collation
pid: 5076
req: WZ******
sess: 7*********-1:1
sev: info
site: Default
tid: ***
ts: 2017-08-14T16:10:09.317
user: ***.ban\jac***
v: { [-]
collation: charset=0x0 root (LROOT)
column: [sqlserver].[none]
}
}
@somesoni2 @DalJeanis @mdsnmss this how the event looks like.
Thank You so much for your inputs. i will try to write the transforms in the mean time and let you know if that works.
You can probably get away with this:
SOURCE_KEY = _raw
REGEX = collation:\s+charset=0x0 root \(LROOT\)
Technically you can't use a search query to filter data at index time (by filter I mean routing to nullQueue). But if your query filters can be translated into regular expression on raw data, then you can setup that filter based on your search query. Your sourcetype here will become the stanza name in props.conf for which you'll setup the filter. Now you've two field used in filter, so we need to see if we can change that to a regular expression based off your raw data. Can you post some sample data (few which are returned by your query and few which are not, to ensure the regex doesn't have any false positive) and mark your fields k and v.collation in the raw data?