- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Issue sending events to nullQueue.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue sending events to nullQueue.
I'm having some issues sending specific events to nullQueue. I want all events from a specific source with the event_type=SETXATTR sent to nullqueue. I have this in my props and transforms files that is currently not working:
Props.conf
[source::/syslog-ng/nasuni/*/*.log]
TRANSFORMS-null= setnull
Transforms.conf
[setnull]
REGEX = (?<event_type>SETXATTR)
DEST_KEY = queue
FORMAT = nullQueue
Also, where exactly on the indexers should these be? I've read some say to put in the $SPLUNK_HOME/etc/system/local folder and others say to put in the $SPLUNK_HOME/etc/apps/myapp/local folder.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bnichols024,
I think your REGEX is incorrect....you made the capture group a named group called event_type, rather than looking for the string.
Try this:
[setnull]
REGEX = (event_type = SETXATTR)
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please check the regex whether it's capturing the data as needed. Please give us a sample event to work it out for you.
Your props and transforms are correct
The best practice is to put the conf in your app directory $SPLUNK_HOME/etc/apps/myapp/local.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2020-05-28T14:19:34-04:00 abuhnasfiler01.euc.ppg.com 1 2020-05-28T21:19:34.322906+03:00 abuhnasfiler01 nasuni.7e485ffc-4467-468f-b298-1 11064 8103704790 - {"to_gid": null, "event_type": "AUDIT_SETXATTR", "sequence": 63553546, "pid": 18010, "groupname": "PPGEUR\\domain users", "result": 0, "uid": 80399113, "is_dir": false, "size": null, "timestamp": 1590689974.2567756, "proto": "AUDIT_PROTO_CIFS", "ipaddr": "10.174.100.2", "ts": null, "to": null, "gid": 80001513, "filesize": null, "to_uid": null, "sid": "S-1-5-21-1570054266-39153565-926709054-398113", "tid": 18010, "username": "PPGEUR\\m00990", "path_timestamp": 0.0, "datasync": null, "volume": "7e485ffc-4467-468f-b298-17e52bab439b_0", "offset": null, "path": "/now/Groups/Common/Sales_Tinting/Silviu/Qlik/2015/Ianuarie 2015/Primite/Rapoarte/Total Decembrie 2014/pigment_67559.csv", "newpath": null, "shared_link_key": null, "resource": "BUHGroups$", "name": "user.DOSATTRIB", "length": null, "flags": null, "mode": null}
event_type = SETXATTReventtype = nix-all-logshost = abuhnasfiler01.euc.ppg.comindex = nasuni_auditingsource = /syslog-ng/nasuni/abuhnasfiler01.euc.ppg.com/2020-05-28.logsourcetype = nasuni
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
