Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to route errors of log monitoring to null queue

mzn1979
Explorer
‎06-21-2021 04:15 AM

Hi everybody!

I currently monitor IIS web server logs from two different locations. the locations are D:\IISLOGS and E:\IISLOGS.

I defined these two paths because some of my servers put the logs into D drive and the others put the logs into E drive. So I've faced errors in my splunk internal logs.

The error is:

WARN  FilesystemChangeWatcher [3444 MainTailingThread] - error getting attributes of path "E:\IISLogs": The device is not ready.

 

I've created the following stanzas in my tranforms.conf and props.conf to set them to go to the null queue but it didn't work.

 

props.conf

[source::C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log]
TRANSFORMS-null= setnull

 

transforms.conf

[setnull]
REGEX = (.+error.+path.+[DE].+IISLogs.+)
DEST_KEY = queue
FORMAT = nullQueue

 

In my opinion, I made a mistake in my REGEX but I can't figure it out.

Any suggestion would be appreciated

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-21-2021 06:45 PM

Hi @mzn1979 

Can you try following,  Make sure these are deployed to HF/indexer where your splunkd logs go through before indexing from UF.

#props.conf
[source::C:\\Program*\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log]
TRANSFORMS-null= setnull
 
#transforms.conf
[setnull]
REGEX = error\s+getting\s+attributes\s+of\s+path\s+\"[DE]:\\IISLogs\"
DEST_KEY = queue
FORMAT = nullQueue

 ---

An upvote would be appreciated and accept solution if it helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-21-2021 06:45 PM

Hi @mzn1979 

Can you try following,  Make sure these are deployed to HF/indexer where your splunkd logs go through before indexing from UF.

#props.conf
[source::C:\\Program*\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log]
TRANSFORMS-null= setnull
 
#transforms.conf
[setnull]
REGEX = error\s+getting\s+attributes\s+of\s+path\s+\"[DE]:\\IISLogs\"
DEST_KEY = queue
FORMAT = nullQueue

 ---

An upvote would be appreciated and accept solution if it helps!

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...