Solved: Re: Problem routing events to nullQueue

nocostk · ‎11-24-2010

I'm trying to get a multi-line log4j event sent to the nullQueue on a Regular forwarder. Here is my inputs/props/transforms.conf:

[monitor:///opt/ShoppingSite/work/logs/tomcat.log]
disabled = false
followTail = 1
sourcetype = log4j

[source::///opt/ShoppingSite/work/logs/tomcat.log]
TRANSFORMS-filtercrap = cleantomcat

[cleantomcat]
REGEX = (?m).+getResponseEntity\nINFO:\s+The\slength\sof\sthe\smessage\sbody\sis\sunknown.+
DEST_KEY = queue
FORMAT = nullQueue

This is the event from my tomcat log I need filtered:

Nov 24, 2010 12:51:18 PM com.noelios.restlet.http.HttpClientCall getResponseEntity
INFO: The length of the message body is unknown. The entity must be handled carefully and consumed entirely in order to surely release the connection.

I've checked my regex using KiKi (Linux regex utility). Anyone have any thoughts? These events are still showing up when I search on my search head.

bfaber · ‎11-25-2010

What happens if you change the props.conf from

[source::///opt/ShoppingSite/work/logs/tomcat.log]

to

[log4j]

and restart the forwarder?

View solution in original post

bfaber · ‎11-25-2010

What happens if you change the props.conf from

[source::///opt/ShoppingSite/work/logs/tomcat.log]

to

[log4j]

and restart the forwarder?

gkanapathy · ‎11-30-2010

source:: clauses should not have the triple slashes /// at the start, just the /. The // is part of inputs monitor syntax.

nocostk · ‎11-26-2010

That seems to work. Why would sourcetype work but not source?

Problem routing events to nullQueue

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Problem routing events to nullQueue

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience