Getting Data In

How can I roll all of the events from this search to null queue?

Communicator

Hi,

I have a query which filters data in the Splunk search, I want to send the data returned from this query to null queue
I understand that props and transforms needs to be configured, but how about using this filter criteria to be used in the transforms?

index=abc sourcetype=Vserver k=set-collation  v.collation = "charset=0x0 root (LROOT)"

All the events for this query needs to be routed to null queue

0 Karma

SplunkTrust
SplunkTrust

I don't believe this is possible through search. If you are using a search to grab events those events have already been indexed. The nullqueue has to take place before indexing using props and transforms.

props.conf

 [Vserver]
 TRANSFORMS-null = setnull

Transforms.conf

[setnull]
REGEX = <your regex to capture events>
DEST_KEY = queue
FORMAT = nullQueue

It would have to be a regex to filter the unwanted events which you should be able to create in a way that match that search query. Some examples of events to nullqueue and events to keep would help construct that regex.

0 Karma

SplunkTrust
SplunkTrust

@mdsnmss, @athorat -

Correct, to accomplish this at index time it's going to be something like this...

Transforms.conf

  [setnull]
 REGEX = charset=0x0 root \(LROOT\)
 SOURCE_KEY = v.collation
 DEST_KEY = queue
 FORMAT = nullQueue

I'm not certain, however, what the situation might be with regard to extracting the field v.collation. You either have to make sure that the rule runs after that field exists, or you need to change the REGEX and SOURCE_KEY so that they catch the pre-extraction field and value.

0 Karma

Communicator

index=abc sourcetype=Vserver k=set-collation v.collation = "charset=0x0 root (LROOT)"

Event

   {    [-] 
         k:  set-collation  
         pid:    5076   
         req:    WZ******
         sess:   7*********-1:1 
         sev:    info   
         site:   Default    
         tid:    ***    
         ts:     2017-08-14T16:10:09.317    
         user:   ***.ban\jac***
         v: {   [-] 
             collation:  charset=0x0 root (LROOT)   
             column:     [sqlserver].[none] 
        }   
    }

@somesoni2 @DalJeanis @mdsnmss this how the event looks like.

0 Karma

Communicator

Thank You so much for your inputs. i will try to write the transforms in the mean time and let you know if that works.

0 Karma

SplunkTrust
SplunkTrust

You can probably get away with this:

SOURCE_KEY = _raw
REGEX =  collation:\s+charset=0x0 root \(LROOT\)    
0 Karma

SplunkTrust
SplunkTrust

Technically you can't use a search query to filter data at index time (by filter I mean routing to nullQueue). But if your query filters can be translated into regular expression on raw data, then you can setup that filter based on your search query. Your sourcetype here will become the stanza name in props.conf for which you'll setup the filter. Now you've two field used in filter, so we need to see if we can change that to a regular expression based off your raw data. Can you post some sample data (few which are returned by your query and few which are not, to ensure the regex doesn't have any false positive) and mark your fields k and v.collation in the raw data?