Getting Data In

How to route errors of log monitoring to null queue

mzn1979
Explorer

Hi everybody!

I currently monitor IIS web server logs from two different locations. the locations are D:\IISLOGS and E:\IISLOGS.

I defined these two paths because some of my servers put the logs into D drive and the others put the logs into E drive. So I've faced errors in my splunk internal logs.

The error is:

WARN  FilesystemChangeWatcher [3444 MainTailingThread] - error getting attributes of path "E:\IISLogs": The device is not ready.

 

I've created the following stanzas in my tranforms.conf and props.conf to set them to go to the null queue but it didn't work.

 

props.conf

[source::C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log]
TRANSFORMS-null= setnull

 

transforms.conf

[setnull]
REGEX = (.+error.+path.+[DE].+IISLogs.+)
DEST_KEY = queue
FORMAT = nullQueue

 

In my opinion, I made a mistake in my REGEX but I can't figure it out.

Any suggestion would be appreciated

Labels (2)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @mzn1979 

Can you try following,  Make sure these are deployed to HF/indexer where your splunkd logs go through before indexing from UF.

#props.conf
[source::C:\\Program*\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log]
TRANSFORMS-null= setnull
 
#transforms.conf
[setnull]
REGEX = error\s+getting\s+attributes\s+of\s+path\s+\"[DE]:\\IISLogs\"
DEST_KEY = queue
FORMAT = nullQueue

 ---

An upvote would be appreciated and accept solution if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @mzn1979 

Can you try following,  Make sure these are deployed to HF/indexer where your splunkd logs go through before indexing from UF.

#props.conf
[source::C:\\Program*\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log]
TRANSFORMS-null= setnull
 
#transforms.conf
[setnull]
REGEX = error\s+getting\s+attributes\s+of\s+path\s+\"[DE]:\\IISLogs\"
DEST_KEY = queue
FORMAT = nullQueue

 ---

An upvote would be appreciated and accept solution if it helps!

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...