Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter logs with the word "version" to nullQueue on the Splunk Cloud Sandbox?

andremidea
Engager
‎04-06-2015 11:52 AM

I'm trying to filter logs with the 'version' word, and send them to the nullQueue.

First of all, i'm using the UniversalForwarder and Splunk Cloud sandbox, i tried to do this by using the config files,

Something like this,

props.conf

[default] 
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = version
DEST_KEY = queue
FORMAT = nullQueue

But it didn't workout, then i read that with Splunk Cloud you need to do these configurations using the GUI.

It's quite confusing how to do this, every documentation is about the Enterprise Version.

I've tried to create a Field Transformation with this options:
regex = version
SourceKey = _raw
format = queue::nullQueue

But again, it doesn't work.

Any Ideas? Thanks.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-11-2015 08:14 AM

The props/transforms have to be setup on the indexers (in this case the splunkcloud instance)
But on sandbox/trials you cannot install your own apps, and cannot reach support to get help.

Therefore the solution is to use a heavy forwarder to be able to parse the events before forwarding them. (see @acharlieh answer)

0 Karma
Reply

acharlieh
Influencer
‎04-06-2015 02:00 PM

I'll readily admit that I'm not on Splunk Cloud, but one option could be to introduce a Heavy Forwarder in your architecture. (So UF -> HF -> Splunk Cloud. )

Since a Heavy Forwarder does all of the parsing (which a UF does not*), and since you control all of the settings here, you can then nullQueue on the Heavy Forwarder (before data leaves your network). If you want more than you ever wanted to know about Splunk's ingestion process I recommend: http://wiki.splunk.com/Community:HowIndexingWorks

* ...Know that in limited circumstances, a UF can also nullQueue, but it's not broadly applicable

Reply

andremidea
Engager
‎04-07-2015 07:17 AM

Thanks, for the help.

I don't think i can have a heavy forwarder with Splunk Cloud, just the UF. I tried to do the props/transforms.conf at UF level but it doesn't works as you said.

I'm trying to use the Splunk GUI to do this, but it doesn't seem to work.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-11-2015 08:15 AM

You can replace the Universal forwarder by a heavy forwarder (install a full splunk, and install the cloud forwarding app)

0 Karma
Reply

acharlieh
Influencer
‎04-07-2015 08:26 AM

According to the Splunk Cloud user manual, the way to get data that requires parsing to Splunk Cloud is to manage a Heavy Forwarder on premises. So I would think that setting up an HF is indeed an option with Cloud.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...