This seems pretty straight forward, but its not working for me. In the indexer/search head. Ive set the following to attempt to get rid of the Healthchecker noise, but it is not doing anything. All Healthcheker events are still being indexed.
in /opt/splunk/etc/system/local
Prop.conf
[access_combined_wcookie]
TRANSFORMS-nullQ = nullFilter
Transforms.conf
[nullFilter]
REGEX = ELB-HealthChecker
DEST_KEY=queue
FORMAT = nullQueue
Check your REGEX string. If you post it here with some sample events, we can check it for you.
Ok, this is interesting. So there seems to have been a large lag in when this (sorta) started working. Most events are being filtered now, but even though I have this set in the Main Indexer props/transforms.conf. One of the hosts is still getting these events indexed.
Any idea why it would be a specific host? Since its not a config on the universal forwarders, but rather the indexer itself it shouldn't require a reload deploy-server or anything, right?
haha, no problem, I've had that kind of week too. However all seems to be set up fine. The only thing I can think of trying, but didn't want to go randomly trying different solutions yet.
Is to try and specify a different source type in my input stanzas instead of the auto generated access-combined-wcookie that splunk assigns to access files and go from there. I wanted to see if someone had a simple explanation why this wasn't working first.
By comparing the props.conf stanza name to your sourcetype, which I could have done with the info you already supplied. Can you tell I'm in pre-vacation mode? 🙂
How would you verify it? it seems pretty straight forward, how would i check to see that its executing?
[access_combined_wcookie]>source type
TRANSFORMS-nullQ = nullFilter
Your REGEX appears to work fine with your sample event. Have you verified the right props.conf stanza is executing?
regex is in the tranforms, its straigh forward, if access log event has that in it, ignore it. The following works in search
index=test sourcetype="access_combined_wcookie"| regex _raw=HealthChecker
this should be returning nothing with my nullQueue set, but all the events are still being indexed
here is a sample event returned
1X.XXX.XX.XXX 1X.XXX.XX.XXX - - [22/May/2014:17:00:40 +0000] "GET /health.php HTTP/1.1" 200 58 "-" "ELB-HealthChecker/1.0" "-"