Getting Data In

Strip lines from Logs before Indexing in Splunk Cloud

schua
New Member

Hi,

I have an Apache instance with Splunk Forwarder installed that sends logs to Splunk Cloud directly (no heavy forwarders).

In the /var/log/httpd/error_logs, we have tons of entries from our load balancer to check the status:
[Thu May 14 12:11:42.799506 2020] [rewrite:trace2] [pid 26491:tid mod_rewrite.c(470): [client 10.2.35.111:29429] 10.2.35.111 - - [10.2.35.111/sid#559b685a5a10][rid#559b689f9aa0/initial] init rewrite engine with requested uri /en/healthcheck.html

How do I exclude this before going to Splunk Cloud Indexer?

I tried adding props.conf and transforms.conf under /opt/splunkforwarder/etc/system/local/ but did not work.

props.conf
[source::/var/log/httpd/error_log]
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = rewrite
DEST_KEY = queue
FORMAT = nullQueue

for REGEX, i also tried
healthcheck.html
\/en\/healthcheck.html

Thanks,
Sherwin

Labels (2)
Tags (1)
0 Karma
1 Solution

PavelP
Motivator

Hello @schua,

nullQueue work only on a Splunk instance which first parses/indexes events. UF doesn't parse events, so you need to apply this config on HF or Indexer

View solution in original post

0 Karma

PavelP
Motivator

Hello @schua,

nullQueue work only on a Splunk instance which first parses/indexes events. UF doesn't parse events, so you need to apply this config on HF or Indexer

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...