Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

props and transforms not working

blbr123
Path Finder
‎05-08-2024 08:32 PM

Hi All,

My props and transforms is not working.

Kept the props and transforms in the Heavy Forwarder.

can anyone please assist.

I want to drop the below lines from ingesting into Splunk but its not working.

#Date: 2024-05-03 00:00:01

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https

props:

[mysourcetype]
TRANSFORMS-drop_header= drop_header

Transforms:

[drop_header]

REGEX = ^#Date.+\n#Fields.+
DEST_KEY = queue
FORMAT = nullQueue

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-09-2024 12:55 AM

This format looks suspiciously familiar. Check if you're using INDEXED_EXTRACTIONS on this sourcetype. If you do, the data is parsed on the UF and is not further processed on the indexer (or HF).

0 Karma
Reply

blbr123
Path Finder
‎05-08-2024 11:03 PM

Yes I have checked in regex looks good.

There are no other HF's before.

blbr123_0-1715234566883.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 11:06 PM

Hi @blbr123,

this seems to be a multiline og, try adding (?ms) at the beginning of the regex.

Then test your regex in Splunk not outside Splunk.

Ciao.

Giuseppe

0 Karma
Reply

blbr123
Path Finder
‎05-08-2024 11:08 PM

sure will give a try and what does (?ms) do?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 11:15 PM

Hi @blbr123 ,

(?ms) in a regex means that you have to consider a multiine event.

Ciao.

Giuseppe

0 Karma
Reply

blbr123
Path Finder
‎05-08-2024 11:44 PM

Tested in splunk , only when I add (?ms) in front of regex it matches.

But when I check this entire regex in the regex tool it does not match

(?ms)^#Date.+\n#Fields.+

and I am not sure if we add (?ms) in transforms will work or not?

blbr123_0-1715237032086.png

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 11:55 PM

Hi @blbr123 ,

test it in Splunk using the regex command.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 10:59 PM

Hi @blbr123,

did you checked the regex in Splunk?

If you could share some sample of your logs I can help you in this.

are there other (one or more) HFs before the one where you located props and transforms?

The transofrmation muste be applied in the first full Splunk instance where data pass through.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...