Solved: Transforms: why is nullQueue not working?

amiftah · ‎09-07-2018

Hello,

I want to discard events that contain a string "Content", the following doesnt work, because I still see events with Content after I restarted and re-indexed:

transforms.conf
[allNullQueue]
REGEX = Content
DEST_KEY = queue
FORMAT = nullQueue

props.conf
[mysrctype]
TRANSFORMS-setnull = allNullQueue

I tried this in a standalone env, version 7.0.3 and 7.1.2
I can't find out where the problem is coming from.

Any clue?
Thanks

amiftah · ‎09-07-2018

I was missing a Lookahead, because my Content is positioned beyond the 4096 characters which is the default value for lookahead.
Thank you for your answers!

View solution in original post

amiftah · ‎09-07-2018

I was missing a Lookahead, because my Content is positioned beyond the 4096 characters which is the default value for lookahead.
Thank you for your answers!

View solution in original post

mstjohn_splunk · ‎09-11-2018

hi @amiftah,

It looks like you figured out how to solve your problem. Would you mind approving your answer so that others can better see your solution?

Thanks!

marycordova · ‎09-07-2018

must be Splunk Enterprise (not Universal Forwarder)
props.conf should reference source not sourcetype
props.conf TRANSFORMS class and stanza name should be unique across deployment, not just specific config file

props.conf
[source::/mysource/example/*.csv]
TRANSFORMS-setnull = allNullQueue

transforms.conf
[allNullQueue]
REGEX = Content
DEST_KEY = queue
FORMAT = nullQueue

marycordova · ‎09-07-2018

this is Splunk Enterprise and not a universal forwarder correct?

sudosplunk · ‎09-07-2018

Hi, do you have the same TRANSFORMS-setnull class defined elsewhere apart from the props.conf in question? You can check this by running a btool on your props splunk btool props list --debug | grep 'TRANSFORMS'.

pyro_wood · ‎09-07-2018

I think only @micahkemp can help here. :horse: