This seems pretty straight forward, but its not working for me. In the indexer/search head. Ive set the following to attempt to get rid of the Healthchecker noise, but it is not doing anything. All Healthcheker events are still being indexed.
TRANSFORMS-nullQ = nullFilter
REGEX = ELB-HealthChecker
FORMAT = nullQueue
Ok, this is interesting. So there seems to have been a large lag in when this (sorta) started working. Most events are being filtered now, but even though I have this set in the Main Indexer props/transforms.conf. One of the hosts is still getting these events indexed.
Any idea why it would be a specific host? Since its not a config on the universal forwarders, but rather the indexer itself it shouldn't require a reload deploy-server or anything, right?
haha, no problem, I've had that kind of week too. However all seems to be set up fine. The only thing I can think of trying, but didn't want to go randomly trying different solutions yet.
Is to try and specify a different source type in my input stanzas instead of the auto generated access-combined-wcookie that splunk assigns to access files and go from there. I wanted to see if someone had a simple explanation why this wasn't working first.
By comparing the props.conf stanza name to your sourcetype, which I could have done with the info you already supplied. Can you tell I'm in pre-vacation mode? 🙂
regex is in the tranforms, its straigh forward, if access log event has that in it, ignore it. The following works in search
index=test sourcetype="accesscombinedwcookie"| regex _raw=HealthChecker
this should be returning nothing with my nullQueue set, but all the events are still being indexed
here is a sample event returned
1X.XXX.XX.XXX 1X.XXX.XX.XXX - - [22/May/2014:17:00:40 +0000] "GET /health.php HTTP/1.1" 200 58 "-" "ELB-HealthChecker/1.0" "-"