Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using HEC with props.conf and transforms.conf

gifkinsju
New Member
‎04-19-2018 02:39 PM

Hi there,

I'm experiencing difficulty in discarding certain events while they're passing through my heavyweight forwarder layer. I'm attempting to do so using a props.conf and transforms.conf.

The end to end traffic flow is architected in the following manner:

Java log appender -> HEC (based on Heavyweight Forwarder) -> Indexer <-> Search Head

The content of my props.conf is as follows:

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
category = Structured
TRANSFORMS-set = setnull

The content of my transforms.conf is as follows:

[setnull]
REGEX = \"path\":\"\\\/status\”
DEST_KEY = queue
FORMAT = nullQueue

Here's an example of a message of which I'm trying to filter:

{"severity":"INFO","logger":"RL","thread":"omitted","message":{"path":"\/status","requestBody":null,"success":null,"query":null,"errorMessage":null,"startTime":"09:31:03.133","endTime":"09:31:03.133","httpMethod":"GET","operation":"StatusController.status","processingTime":0.0,"statusCode":0},"properties":{"start_time":"1524173463133","ua_family_version":"null.null","os_family":"omitted","customer_number":"omitted","requestID":"omitted","ua_family":"omitted","session_id":null,"device_family":"omitted","client_ip":"omitted","request_id":"omitted","os_family_version":"null.null"}}

After applying the props.conf and transforms.conf I've tried both restarted our Heavyweight Forwarders, as well as using the http://splunk.domain/en-US/debug/refresh/ URL to reload the config, but the logs are still being indexed despite this. This makes me suspect that my props.conf or transforms.conf are incorrectly formatted.

I've also tried completing this configuration directly at the Indexer but this has failed.

Essentially my desired outcome is that I want any message which has the "path" key defined as "/status" to be routed to null, and not be indexed, while all other traffic is indexed successfully.

If there's any assistance that could be offered in resolving this issue it would be greatly appreciated!

Thanks!

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-28-2018 04:14 PM

Please confirm the endpoint you are using to send data to HEC

Are you using /services/collector or /services/collector/event or /services/collector/raw ?

As per the universal forwarder wiki page https://wiki.splunk.com/images/d/da/Splunk_EventProcessing_v19_0_UF_Indexer.png JSON/event data goes via the structured parsing queue, raw data goes via the normal mechanism.

The main diagram https://wiki.splunk.com/File:Splunk_EventProcessing_v19_0_standalone.png has not been updated yet but I can confirm from experience that the props/transforms will not work if your using /services/collector/event

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

laurent_
Explorer
‎09-28-2018 01:12 AM

Hello,

We got the same problem. I'm still waiting for support to come back on this issue.

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎02-05-2022 10:11 PM

If  with INDEXED_EXTRACTIONS=JSON, indexed extraction is working intermittently then it's  possible that json HEC  event payload is more than 512KB. It's known issue for HEC that for indexed extraction `maxEventSize`  is not honored hence max json payload is 512KB. Fixed in Splunk 9.0 and above.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top