Getting Data In

Nullqueue filtering

timrich66
Communicator

Hello All,

Grateful for assistance on this one.

We have several areas where servers are HA pairs and write to a server specific log.  However, because they are an HA pair, their own log and the equivalent log on the paired server is visible via a shared drive.

Thus,  server 'A' produces 'serverlogA' but can also see 'serverlogB'.  Server 'B' produces 'serverlogB' and can also see 'serverlogA'.

Because both servers are in the same Server Class, we end up with duplicated events from both server logs.

We cannot only ingest from one server because they also have unique log files and a failure on the ingesting server would require manual intervention to move to the paired server.

I have tried to nullqueue the events as shown below, but not had any success.  

Please let me know your thoughts on how to work around this issue.

Thanks

props.conf

[source::/apps/lvservices/mnt/logs/abc/whyluaap182_ContractEnquiry.log]
TRANSFORMS-nullq_cms_uaap181 = nullq_uaap181
[source::/apps/lvservices/mnt/logs/abc/whyluaap181_ContractEnquiry.log]
TRANSFORMS-nullq_cms_uaap182 = nullq_uaap182

transforms.conf

[nullq_uaap181]
SOURCE_KEY = MetaData:Host
REGEX = whyluaap181
DEST_KEY = queue
FORMAT = nullQueue

[nullq_uaap182]
SOURCE_KEY = MetaData:Host
REGEX = whyluaap182
DEST_KEY = queue
FORMAT = nullQueue

 

Labels (4)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Is it totally impossible idea to have two almost identical serverclasses one for each?
0 Karma

timrich66
Communicator

Hi, @isoutamo  Can you explain your thinking?  It is unlikely, but may be possible.  I don't understand why the nullqueue option isn't working though.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Now you have one serverclass where you have defined all those files: common, nodeA and nodeB if I understood right. As your log files contains name of nodeA or nodeB you could remove those from common serverclass and create separate classes for those which are installed only to corresponding node. All common files could be in common serverclass which will installed to both. Then there is no need for that nullQfiltering. 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @timrich66,

These conf files should be on Indexers. Could you please confirm?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

timrich66
Communicator

Hi @scelikok , yes, the code is deployed from our Cluster Master (/opt/splunk/etc/master-apps/_cluster/local) to indexers (/opt/splunk/etc/slave-apps/_cluster/local).  It is also present on HF in /opt/splunk/etc/system/local).

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...