I have configured transforms.conf and props.conf on below path
[setnull]
REGEX = INFO
DEST_KEY = queue
FORMAT = nullQueue
[source::/opt/assays/log/assays.stdout.log]
TRANSFORMS-null= setnull
But still i'm getting logs from source = /opt/assays/log/assays.stdout.log.
Please Help.
You seem to be following good examples. The docs you want to follow for this are here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad#Discard_specific_ev...
You didn't mention where you put these files. They need to go on the splunk system that does the parsing. This is most likely the indexers, but could be a heavy weight forwarder.
Use btool to validate your configurations: https://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Usebtooltotroubleshootconfigurati...
If you have the files on the correct splunk system, and they validate with btool, the only other variable is, does your source in props match, and does your REGEX match?
Hope this helps. Good luck.
Everything working fine now, thanks all.
All the logs having INFO are now stopped to be indexed.
Just out of curiosity can any one help on what parameters we can apply conditional logging i.e. we can apply using hostname and source but we apply conditional logging using index ??
in your transforms , you are missing
REGEX=.
Hi ayushchoudhary,
probably I'm doing a stupid question: do you inserted your .conf files in your indexers or in your forwarders? they must be on Indexers.
In addition I usually not use nullQueue alone and I never use source or host in stanzas but always sourcetype because sometimes fails, try in this way:
on props.conf:
[your_sourcetype]
TRANSFORMS-filter_sourcetype1=set_sourcetype1,set_nullqueue
on transforms.conf:
[set_nullqueue]
REGEX=INFO
DEST_KEY=queue
FORMAT=nullQueue
[set_sourcetype1]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
Note that it's important sets order in props.conf TRANSFORMS command, it isn't important in transforms.conf stanzas.
This run if you want to take all but not INFO; if you need to take only something and discard other, you have to invert order in props.conf sets and change regexes.
Bye.
Giuseppe
I put this app together as an example. Please only use it in a non-production environment.
I noticed when building it, that getting the props.conf:source:: stanza was tricky, as it did not accept $SPLUNK_HOME
I looked at the entries that match source:: for examples:
./splunk cmd btool props list source:: | grep \\[
[source::...((.(bak|old))|,v|~|#)]
[source::....(0t|a|ali|asa|au|bmp|cg|cgi|class|d|dat|deb|del|dot|dvi|dylib|elc|eps|exe|ftn|gif|hlp|hqx|hs|icns|ico|inc|iso|jame|jin|jpeg|jpg|kml|la|lhs|lib|lo|lock|mcp|mid|mp3|mpg|msf|nib|o|obj|odt|ogg|ook|opt|os|pal|pbm|pdf|pem|pgm|plo|png|po|pod|pp|ppd|ppm|ppt|prc|ps|psd|psym|pyc|pyd|rast|rb|rde|rdf|rdr|rgb|ro|rpm|rsrc|so|ss|stg|strings|tdt|tif|tiff|tk|uue|vhd|xbm|xlb|xls|xlw)]
[source::....(?<!tar.)gz(.\d+)?]
[source::....(cache|class|cxx|dylib|jar|lo|xslt|md5|rpm|deb|iso|vim)]
[source::....(css|htm|html|sgml|shtml|template)]
[source::....(jar)(.\d+)?]
[source::....(tar.gz|tgz)(.\d+)?]
[source::....(tbz|tbz2)(.\d+)?]
[source::....Z(.\d+)?]
[source::....bz2?(.\d+)?]
[source::....crash.log(.\d+)?]
[source::....csv]
[source::....tar(.\d+)?]
[source::.../(apache|httpd).../error*]
[source::.../(readme|README)...]
[source::.../(u_|)ex(tend|\d{4,8})*?.log]
...
I hope this example helps. Good Luck!
You seem to be following good examples. The docs you want to follow for this are here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad#Discard_specific_ev...
You didn't mention where you put these files. They need to go on the splunk system that does the parsing. This is most likely the indexers, but could be a heavy weight forwarder.
Use btool to validate your configurations: https://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Usebtooltotroubleshootconfigurati...
If you have the files on the correct splunk system, and they validate with btool, the only other variable is, does your source in props match, and does your REGEX match?
Hope this helps. Good luck.
I have added these files in the indexer as the forwarder is a Universal forwarder. Yes i do have INFO strings in the events coming from the source.
After applying the conditional logging i can see the INFO events.
Configuration seems okay. Probably missing open [
is just this Slunk answer issue.
Have you restarted the indexer(s)? If you deployed this to indexers using Cluster Master, you might need to wait for a while due to how Splunk reload works for regex-replacement(transforms.conf).
Or, you restart CPs and see if you still have the issue.
As @bshulter said, btool to check configuration is important. Also checking configuration file permissions or configuration name would be worth.