Getting Data In

nullqueue not working

Builder

This seems pretty straight forward, but its not working for me. In the indexer/search head. Ive set the following to attempt to get rid of the Healthchecker noise, but it is not doing anything. All Healthcheker events are still being indexed.

in /opt/splunk/etc/system/local
Prop.conf
[accesscombinedwcookie]
TRANSFORMS-nullQ = nullFilter

Transforms.conf
[nullFilter]
REGEX = ELB-HealthChecker
DEST_KEY=queue
FORMAT = nullQueue

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Check your REGEX string. If you post it here with some sample events, we can check it for you.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Builder

Ok, this is interesting. So there seems to have been a large lag in when this (sorta) started working. Most events are being filtered now, but even though I have this set in the Main Indexer props/transforms.conf. One of the hosts is still getting these events indexed.

Any idea why it would be a specific host? Since its not a config on the universal forwarders, but rather the indexer itself it shouldn't require a reload deploy-server or anything, right?

0 Karma

Builder

haha, no problem, I've had that kind of week too. However all seems to be set up fine. The only thing I can think of trying, but didn't want to go randomly trying different solutions yet.

Is to try and specify a different source type in my input stanzas instead of the auto generated access-combined-wcookie that splunk assigns to access files and go from there. I wanted to see if someone had a simple explanation why this wasn't working first.

0 Karma

SplunkTrust
SplunkTrust

By comparing the props.conf stanza name to your sourcetype, which I could have done with the info you already supplied. Can you tell I'm in pre-vacation mode? 🙂

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Builder

How would you verify it? it seems pretty straight forward, how would i check to see that its executing?

[accesscombinedwcookie]>source type
TRANSFORMS-nullQ = nullFilter

0 Karma

SplunkTrust
SplunkTrust

Your REGEX appears to work fine with your sample event. Have you verified the right props.conf stanza is executing?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Builder

regex is in the tranforms, its straigh forward, if access log event has that in it, ignore it. The following works in search

index=test sourcetype="accesscombinedwcookie"| regex _raw=HealthChecker

this should be returning nothing with my nullQueue set, but all the events are still being indexed

here is a sample event returned

1X.XXX.XX.XXX 1X.XXX.XX.XXX - - [22/May/2014:17:00:40 +0000] "GET /health.php HTTP/1.1" 200 58 "-" "ELB-HealthChecker/1.0" "-"

0 Karma