Getting Data In

nullqueue not working

Cuyose
Builder

This seems pretty straight forward, but its not working for me. In the indexer/search head. Ive set the following to attempt to get rid of the Healthchecker noise, but it is not doing anything. All Healthcheker events are still being indexed.

in /opt/splunk/etc/system/local
Prop.conf
[access_combined_wcookie]
TRANSFORMS-nullQ = nullFilter

Transforms.conf
[nullFilter]
REGEX = ELB-HealthChecker
DEST_KEY=queue
FORMAT = nullQueue

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check your REGEX string. If you post it here with some sample events, we can check it for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Cuyose
Builder

Ok, this is interesting. So there seems to have been a large lag in when this (sorta) started working. Most events are being filtered now, but even though I have this set in the Main Indexer props/transforms.conf. One of the hosts is still getting these events indexed.

Any idea why it would be a specific host? Since its not a config on the universal forwarders, but rather the indexer itself it shouldn't require a reload deploy-server or anything, right?

0 Karma

Cuyose
Builder

haha, no problem, I've had that kind of week too. However all seems to be set up fine. The only thing I can think of trying, but didn't want to go randomly trying different solutions yet.

Is to try and specify a different source type in my input stanzas instead of the auto generated access-combined-wcookie that splunk assigns to access files and go from there. I wanted to see if someone had a simple explanation why this wasn't working first.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

By comparing the props.conf stanza name to your sourcetype, which I could have done with the info you already supplied. Can you tell I'm in pre-vacation mode? 🙂

---
If this reply helps you, Karma would be appreciated.
0 Karma

Cuyose
Builder

How would you verify it? it seems pretty straight forward, how would i check to see that its executing?

[access_combined_wcookie]>source type
TRANSFORMS-nullQ = nullFilter

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your REGEX appears to work fine with your sample event. Have you verified the right props.conf stanza is executing?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Cuyose
Builder

regex is in the tranforms, its straigh forward, if access log event has that in it, ignore it. The following works in search

index=test sourcetype="access_combined_wcookie"| regex _raw=HealthChecker

this should be returning nothing with my nullQueue set, but all the events are still being indexed

here is a sample event returned

1X.XXX.XX.XXX 1X.XXX.XX.XXX - - [22/May/2014:17:00:40 +0000] "GET /health.php HTTP/1.1" 200 58 "-" "ELB-HealthChecker/1.0" "-"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...