Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Route and filter universal forwarder for two apps

MicMoo
Explorer
‎03-30-2020 04:20 PM

Hope everyone is keeping safe.

I'm following this document https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad (Discard specific events and keep the rest)
The first app is working as expected, however when I've created a second app the filtering is not working
Both apps send data to same index, but the apps are on different servers and different logs. we are using Universal Forwarders
App1

[ ~/etc/deployment-apps/app1/local] $ cat props.conf
[uLinga]
TRANSFORMS-set= setnull,setparsing

[ ~/etc/deployment-apps/app1/local] $ cat transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = INFRASFT
DEST_KEY = queue
FORMAT = indexQueue

App2
[ ~/etc/deployment-apps/app2/local] $ cat props.conf
[Aux]
TRANSFORMS-set = setnull,setparsing

[ ~/etc/deployment-apps/app2/local] $ cat transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = INFO|ERROR|WARN
DEST_KEY = queue
FORMAT = indexQueue

Thank you

0 Karma
Reply

MicMoo
Explorer
‎04-05-2020 02:20 PM

Thank you ,
Managed to sort it out, issue was with the output file on the HF app.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-03-2020 05:27 AM

You need to separate your stanza names so that they are not competing, like this:

[~/etc/deployment-apps/app1/local] $ cat props.conf:

[uLinga]
TRANSFORMS-set= uLinga_setnull, uLinga_setparsing

[ ~/etc/deployment-apps/app1/local] $ cat transforms.conf:

[uLinga_setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[uLinga_setparsing]
REGEX = INFRASFT
DEST_KEY = queue
FORMAT = indexQueue

[ ~/etc/deployment-apps/app2/local] $ cat props.conf:

[Aux]
TRANSFORMS-set = Auz_setnull, Aux_setparsing

[ ~/etc/deployment-apps/app2/local] $ cat transforms.conf:

[Aux_setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[Aux_setparsing]
REGEX = INFO|ERROR|WARN
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎04-02-2020 05:32 PM

Run:

splunk btool transforms list --debug

You will likely find that you need to uniquely name your transform stanzas otherwise one will overwrite the other...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

MuS
Legend
‎03-30-2020 05:06 PM

Hi MicMoo,

Please post the two apps and their .conf files so people are able to help you.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...