Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Exclude header data in cisco log file ?

dfigurello
Communicator
‎12-11-2015 07:48 PM

Hi splunkers,

I would like to remove headers from a Cisco file. I've tried transforms configurations, but I can't get it work.
I ran a search to troubleshoot: index=_internal sourcetype=splunkd ignoreComments , with the following results:

 -0200 ERROR regexExtractionProcessor - REGEX field must be specified
 tranform_name=ignoreComments

Please find below details of the configurations:

C:\Program Files\Splunk\etc\apps\search\local\inputs.conf

[monitor://c:\cisco\*]
sourcetype = cisco_teste
disabled = false
index = treinamento

C:\Program Files\Splunk\etc\apps\search\local\props.conf

[cisco_teste]
TRANSFORMS-noComments = ignoreComments

C:\Program Files\Splunk\etc\apps\search\local\tranforms.conf

[ignoreComments]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

Let me know if you guys need anything else, I really appreciate the help.
Cheers,

0 Karma
Reply

woodcock
Esteemed Legend
‎12-17-2015 08:57 AM

Did you restart the Splunk instances on the Indexers where you put props.conf and transforms.conf?
Double-check this list:

  • The sourcetype matches replace_sourcetype_with_containing_directory exactly (casing, punctuation, etc.).
  • The props.conf and transforms.conf configuration files are deployed to the Indexers or Heavy Forwarders (or Universal Forwarders in some cases, such as INDEXED_EXTRACTIONS = CSV).
  • The inputs.conf configuration file is deployed to the Forwarder.
  • You must restart/bounce all Splunk instances on the servers where you deploy these files.
  • There are no configuration errors during restart (watch the response text during startup on one server of each type).
  • You are verifying proper current function by looking at NEW data (post-deploy/post-bounce), not previously indexed data (which is immutable).
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎12-11-2015 09:13 PM

You specified "ignoreComment" in props.conf, but you configured "ignoreComments" as the transforms.conf.
Make sure spelling exactly matches.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎12-15-2015 10:57 AM

You may want to match the full line that starts with '#', i.e. do REGEX=^#.*
I cannot see anything else that is wrong with your configuration. And you are configuring these files on your indexer, correct?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎12-11-2015 09:14 PM

Overlap with woodcock....

0 Karma
Reply

dfigurello
Communicator
‎12-12-2015 03:38 AM

Hi ssievert,,

I am sorry but i did make a mistake when I put here in answers, please disregard it.

Tks.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-11-2015 09:13 PM

You have a spelling mismatch; you need to settle on either ignoreComment or ignoreComments (note the extra s in the latter). Once you make this the same, it should work fine.

0 Karma
Reply

dfigurello
Communicator
‎12-12-2015 03:37 AM

Hi Woodcock,

I am sorry but i did make a mistake when I put here in answers, please disregard it.

Tks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...