Getting Data In

nullqueue not working

Cuyose
Builder

This seems pretty straight forward, but its not working for me. In the indexer/search head. Ive set the following to attempt to get rid of the Healthchecker noise, but it is not doing anything. All Healthcheker events are still being indexed.

in /opt/splunk/etc/system/local
Prop.conf
[access_combined_wcookie]
TRANSFORMS-nullQ = nullFilter

Transforms.conf
[nullFilter]
REGEX = ELB-HealthChecker
DEST_KEY=queue
FORMAT = nullQueue

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check your REGEX string. If you post it here with some sample events, we can check it for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Cuyose
Builder

Ok, this is interesting. So there seems to have been a large lag in when this (sorta) started working. Most events are being filtered now, but even though I have this set in the Main Indexer props/transforms.conf. One of the hosts is still getting these events indexed.

Any idea why it would be a specific host? Since its not a config on the universal forwarders, but rather the indexer itself it shouldn't require a reload deploy-server or anything, right?

0 Karma

Cuyose
Builder

haha, no problem, I've had that kind of week too. However all seems to be set up fine. The only thing I can think of trying, but didn't want to go randomly trying different solutions yet.

Is to try and specify a different source type in my input stanzas instead of the auto generated access-combined-wcookie that splunk assigns to access files and go from there. I wanted to see if someone had a simple explanation why this wasn't working first.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

By comparing the props.conf stanza name to your sourcetype, which I could have done with the info you already supplied. Can you tell I'm in pre-vacation mode? 🙂

---
If this reply helps you, Karma would be appreciated.
0 Karma

Cuyose
Builder

How would you verify it? it seems pretty straight forward, how would i check to see that its executing?

[access_combined_wcookie]>source type
TRANSFORMS-nullQ = nullFilter

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your REGEX appears to work fine with your sample event. Have you verified the right props.conf stanza is executing?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Cuyose
Builder

regex is in the tranforms, its straigh forward, if access log event has that in it, ignore it. The following works in search

index=test sourcetype="access_combined_wcookie"| regex _raw=HealthChecker

this should be returning nothing with my nullQueue set, but all the events are still being indexed

here is a sample event returned

1X.XXX.XX.XXX 1X.XXX.XX.XXX - - [22/May/2014:17:00:40 +0000] "GET /health.php HTTP/1.1" 200 58 "-" "ELB-HealthChecker/1.0" "-"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...