Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I still seeing debug logs in the Splunk heavy forwarder filtering?

raindrop18
Communicator
‎04-20-2018 10:32 AM

I have set the following on transforms.conf and props.conf but I still see DEBUG logs in my search. what did I miss

transforms.conf

#Remove: DEBUG
[null_kube_DEBUG]
REGEX = (DEBUG)
DEST_KEY=queue
FORMAT=nullQueue

props.conf

#### kube ################################
[source::kube.var.log.containers.*]
TRANSFORMS-null = null_kube_DEBUG
0 Karma
Reply

p_gurav
Champion
‎04-22-2018 09:27 PM

Can you try to use in props.conf:

 [null_kube_DEBUG]
 REGEX = DEBUG
 DEST_KEY=queue
 FORMAT=nullQueue
0 Karma
Reply

raindrop18
Communicator
‎04-23-2018 07:57 AM

thanks for the response, but still not filtering DEBUG. is there any difference for the logs ingested via http even collector (HEC)? this issue only I got on the logs ingested via HEC, other logs ingested via UF I don't see this issue.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2018 11:08 AM

Did you restart the HF?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

raindrop18
Communicator
‎04-20-2018 11:54 AM

yes I did 🙂

0 Karma
Reply

somesoni2
Revered Legend
‎04-20-2018 01:31 PM

This will only affect the new incoming messages (any already ingested data would still showup in the search results). What does you DEBUG event look like? Can share a sample or two?

0 Karma
Reply

raindrop18
Communicator
‎04-20-2018 01:38 PM 
2018-04-20 20:36:35 DEBUG NetworkClient:627 - Initiating connection to node -1 at myserver1.net:9092.\n
2018-04-20 20:36:35 DEBUG NetworkClient:767 - Initialize connection to node -1 for sending metadata request\n
2018-04-20 20:36:35 DEBUG NetworkClient:570 - Node -3 disconnected.\n
2018-04-20 20:36:35 DEBUG NetworkClient:627 - Initiating connection to node -1 at myserver1.net:9092.\n
2018-04-20 20:36:35 DEBUG NetworkClient:767 - Initialize connection to node -1 for sending metadata request\n
2018-04-20 20:36:35 DEBUG NetworkClient:570 - Node -2 disconnected.\n
0 Karma
Reply

raindrop18
Communicator
‎04-20-2018 01:39 PM

this is newly ingested data.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...