Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come Apache web server logs being sent to nullQueue are still being indexed?

_smp_
Builder
‎10-08-2018 01:05 PM

I have the universal forwarder pushed out to some Apache web servers that are indexing some access logs. I would like to send events that represent status checks to nullQueue so they are not indexed. Seems like a pretty simple task to accomplish, but inspection of the logs confirms the events are still being indexed. Here is my props/transforms on my indexers:

Here is a sample event:
10.10.10.10 - - [08/Oct/2018:14:51:33 -0500] "GET /heartbeat_flow HTTP/1.1" 200 7 "-" "-" - -

Here is my props/transforms on my indexers:
[access_combined]
TRANSFORMS-SendHealthChecksToNull = SendHealthChecksToNull1,SendHealthChecksToNull2

[SendHealthChecksToNull1]
REGEX = GET (?:\/.*)?\/(?:DateServlet|dateservlet.ashx|ping)\/? HTTP\/1.1
DEST_KEY = queue
FORMAT = nullQueue

[SendHealthChecksToNull2]
REGEX = GET (?:\/secure\/webmon\/monitor.html|\/heartbeat_flow|\/wps\/portal\/dpath\/monitor|\/webmon\/test.html|\/mf_monitor|\/applicationDBcheck.php|\/check.txt) HTTP\/1.1
DEST_KEY = queue
FORMAT = nullQueue

What am I doing wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎10-08-2018 09:29 PM

can you try first only one like below to check if it is working-
in props.conf

[access_combined]
TRANSFORMS-SendHealthChecksToNull = SendHealthChecksToNull2

in transforms.conf -

[SendHealthChecksToNull2]
REGEX = GET\s\/(secure|webmon|monitor\.html|heartbeat_flow|wps|portal|dpath|monitor|test\.html|mf_monitor|applicationDBcheck\.php|check\.txt)\sHTTP\/1.1
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-09-2018 12:49 AM

Hi scottprigge,
have you an Heavy Forwarder between Universal Forwarder and Indexers?
if yes, you have to put your filter on the Heavy Forwarder.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

_smp_
Builder
‎10-09-2018 05:21 AM

No, there is no HF in play. It's just UF on the web servers forwarding to the indexers.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-09-2018 05:35 AM

Ok,
so try to have two different commands in props.conf:

[access_combined]
TRANSFORMS-SendHealthChecksToNull1 = SendHealthChecksToNull1
TRANSFORMS-SendHealthChecksToNull2 = SendHealthChecksToNull2

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎10-08-2018 09:29 PM

can you try first only one like below to check if it is working-
in props.conf

[access_combined]
TRANSFORMS-SendHealthChecksToNull = SendHealthChecksToNull2

in transforms.conf -

[SendHealthChecksToNull2]
REGEX = GET\s\/(secure|webmon|monitor\.html|heartbeat_flow|wps|portal|dpath|monitor|test\.html|mf_monitor|applicationDBcheck\.php|check\.txt)\sHTTP\/1.1
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution

_smp_
Builder
‎10-09-2018 05:41 AM

The issue was using a space instead of \s in the REGEX stanza. Thanks for the post!

Reply
Solved! Jump to solution

493669
Super Champion
‎10-09-2018 05:33 AM

@scottprigge, have you tried this on indexer?

0 Karma
Reply
Solved! Jump to solution

_smp_
Builder
‎10-09-2018 05:39 AM

Yes, all the config I referenced is on the indexer.

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎10-08-2018 01:43 PM

Have you verified the regex works in a tool like regex101.com?

0 Karma
Reply
Solved! Jump to solution

_smp_
Builder
‎10-08-2018 01:51 PM

Yep, I have. It matches.

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...