Getting Data In

Transforms: why is nullQueue not working?

amiftah
Communicator

Hello,

I want to discard events that contain a string "Content", the following doesnt work, because I still see events with Content after I restarted and re-indexed:

transforms.conf
[allNullQueue]
REGEX = Content
DEST_KEY = queue
FORMAT = nullQueue

props.conf
[mysrctype]
TRANSFORMS-setnull = allNullQueue

I tried this in a standalone env, version 7.0.3 and 7.1.2
I can't find out where the problem is coming from.

Any clue?
Thanks

0 Karma
1 Solution

amiftah
Communicator

I was missing a Lookahead, because my Content is positioned beyond the 4096 characters which is the default value for lookahead.
Thank you for your answers!

View solution in original post

0 Karma

amiftah
Communicator

I was missing a Lookahead, because my Content is positioned beyond the 4096 characters which is the default value for lookahead.
Thank you for your answers!

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @amiftah,

It looks like you figured out how to solve your problem. Would you mind approving your answer so that others can better see your solution?

Thanks!

0 Karma

marycordova
SplunkTrust
SplunkTrust
  1. must be Splunk Enterprise (not Universal Forwarder)
  2. props.conf should reference source not sourcetype
  3. props.conf TRANSFORMS class and stanza name should be unique across deployment, not just specific config file

    props.conf
    [source::/mysource/example/*.csv]
    TRANSFORMS-setnull = allNullQueue

    transforms.conf
    [allNullQueue]
    REGEX = Content
    DEST_KEY = queue
    FORMAT = nullQueue

@marycordova

marycordova
SplunkTrust
SplunkTrust

this is Splunk Enterprise and not a universal forwarder correct?

@marycordova
0 Karma

sudosplunk
Motivator

Hi, do you have the same TRANSFORMS-setnull class defined elsewhere apart from the props.conf in question? You can check this by running a btool on your props splunk btool props list --debug | grep 'TRANSFORMS'.

0 Karma

horsefez
Motivator

I think only @micahkemp can help here. :horse:

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...