Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transforms: why is nullQueue not working?

amiftah
Communicator
‎09-07-2018 09:30 AM

Hello,

I want to discard events that contain a string "Content", the following doesnt work, because I still see events with Content after I restarted and re-indexed:

transforms.conf
[allNullQueue]
REGEX = Content
DEST_KEY = queue
FORMAT = nullQueue

props.conf
[mysrctype]
TRANSFORMS-setnull = allNullQueue

I tried this in a standalone env, version 7.0.3 and 7.1.2
I can't find out where the problem is coming from.

Any clue?
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

amiftah
Communicator
‎09-07-2018 07:21 PM

I was missing a Lookahead, because my Content is positioned beyond the 4096 characters which is the default value for lookahead.
Thank you for your answers!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

amiftah
Communicator
‎09-07-2018 07:21 PM

I was missing a Lookahead, because my Content is positioned beyond the 4096 characters which is the default value for lookahead.
Thank you for your answers!

0 Karma
Reply
Solved! Jump to solution

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-11-2018 09:51 AM

hi @amiftah,

It looks like you figured out how to solve your problem. Would you mind approving your answer so that others can better see your solution?

Thanks!

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎09-07-2018 10:55 AM
  1. must be Splunk Enterprise (not Universal Forwarder)
  2. props.conf should reference source not sourcetype

  3. props.conf TRANSFORMS class and stanza name should be unique across deployment, not just specific config file

    props.conf
    [source::/mysource/example/*.csv]
    TRANSFORMS-setnull = allNullQueue

    transforms.conf
    [allNullQueue]
    REGEX = Content
    DEST_KEY = queue
    FORMAT = nullQueue

@marycordova
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎09-07-2018 10:47 AM

this is Splunk Enterprise and not a universal forwarder correct?

@marycordova
0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎09-07-2018 09:40 AM

Hi, do you have the same TRANSFORMS-setnull class defined elsewhere apart from the props.conf in question? You can check this by running a btool on your props splunk btool props list --debug | grep 'TRANSFORMS'.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎09-07-2018 09:39 AM

I think only @micahkemp can help here. :horse:

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...