Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is my Splunk 6.2.5 Heavy Forwarder not filteri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My Heavy Forwarder forwards data to the indexer fine, however, I wanted to filter out some events before being forwarded using props.conf and transforms.conf, but the indexer still receives everything.
props.conf:
[source::/var/log/vsftpd.log]
TRANSFORMS-null = setnull
transforms.conf:
[setnull]
REGEX = 220
DEST_KEY = queue
FORMAT = nullQueue
for testing, I just simplified the REGEX to filter out all events containing "220"
I even tried REGEX = . (to filter out everything) but still had no effect.
What am I missing?
I'm using Splunk 6.2.5 BTW.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mystery solved!
per Splunk support recommendation, i reinstalled a fresh splunk 6.2.5 and everything worked as expected.
I guess the problem is that my previous 6.2.5 installation was an upgrade from 6.0.1
Shouldn't have to do that but hey it works now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mystery solved!
per Splunk support recommendation, i reinstalled a fresh splunk 6.2.5 and everything worked as expected.
I guess the problem is that my previous 6.2.5 installation was an upgrade from 6.0.1
Shouldn't have to do that but hey it works now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just open a new case with splunk support.
will post the results when the case is resolved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (changes to transforms.conf, keep the same props.conf)
transforms.conf
[setnull]
REGEX = (220)
DEST_KEY = queue
FORMAT = nullQueue
Also, ensure to restart the heavy forwarder after change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same results.
just for testing, i brought the props.conf/transforms.conf to the indexer and it filtered as expected.
so it must be something on the forwarder side.
not sure if it helps, but the "cmd btool" dumped this info:
% /opt/splunk/bin/splunk cmd btool transforms list setnull
[setnull]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE =
DEST_KEY = queue
FORMAT = nullQueue
KEEP_EMPTY_VALS = False
LOOKAHEAD = 4096
MV_ADD = False
REGEX = 220
SOURCE_KEY = _raw
WRITE_META = False
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
