Getting Data In

Strip lines from Logs before Indexing in Splunk Cloud

schua
New Member

Hi,

I have an Apache instance with Splunk Forwarder installed that sends logs to Splunk Cloud directly (no heavy forwarders).

In the /var/log/httpd/error_logs, we have tons of entries from our load balancer to check the status:
[Thu May 14 12:11:42.799506 2020] [rewrite:trace2] [pid 26491:tid mod_rewrite.c(470): [client 10.2.35.111:29429] 10.2.35.111 - - [10.2.35.111/sid#559b685a5a10][rid#559b689f9aa0/initial] init rewrite engine with requested uri /en/healthcheck.html

How do I exclude this before going to Splunk Cloud Indexer?

I tried adding props.conf and transforms.conf under /opt/splunkforwarder/etc/system/local/ but did not work.

props.conf
[source::/var/log/httpd/error_log]
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = rewrite
DEST_KEY = queue
FORMAT = nullQueue

for REGEX, i also tried
healthcheck.html
\/en\/healthcheck.html

Thanks,
Sherwin

Labels (2)
Tags (1)
0 Karma
1 Solution

PavelP
Motivator

Hello @schua,

nullQueue work only on a Splunk instance which first parses/indexes events. UF doesn't parse events, so you need to apply this config on HF or Indexer

View solution in original post

0 Karma

PavelP
Motivator

Hello @schua,

nullQueue work only on a Splunk instance which first parses/indexes events. UF doesn't parse events, so you need to apply this config on HF or Indexer

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!