Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

props and transforms not working

blbr123
Path Finder
‎05-08-2024 08:32 PM

Hi All,

My props and transforms is not working.

Kept the props and transforms in the Heavy Forwarder.

can anyone please assist.

I want to drop the below lines from ingesting into Splunk but its not working.

#Date: 2024-05-03 00:00:01

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https

props:

[mysourcetype]
TRANSFORMS-drop_header= drop_header

Transforms:

[drop_header]

REGEX = ^#Date.+\n#Fields.+
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-09-2024 12:55 AM

This format looks suspiciously familiar. Check if you're using INDEXED_EXTRACTIONS on this sourcetype. If you do, the data is parsed on the UF and is not further processed on the indexer (or HF).

0 Karma
Reply

blbr123
Path Finder
‎05-08-2024 11:03 PM

Yes I have checked in regex looks good.

There are no other HF's before.

blbr123_0-1715234566883.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 11:06 PM

Hi @blbr123,

this seems to be a multiline og, try adding (?ms) at the beginning of the regex.

Then test your regex in Splunk not outside Splunk.

Ciao.

Giuseppe

0 Karma
Reply

blbr123
Path Finder
‎05-08-2024 11:08 PM

sure will give a try and what does (?ms) do?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 11:15 PM

Hi @blbr123 ,

(?ms) in a regex means that you have to consider a multiine event.

Ciao.

Giuseppe

0 Karma
Reply

blbr123
Path Finder
‎05-08-2024 11:44 PM

Tested in splunk , only when I add (?ms) in front of regex it matches.

But when I check this entire regex in the regex tool it does not match

(?ms)^#Date.+\n#Fields.+

and I am not sure if we add (?ms) in transforms will work or not?

blbr123_0-1715237032086.png

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 11:55 PM

Hi @blbr123 ,

test it in Splunk using the regex command.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 10:59 PM

Hi @blbr123,

did you checked the regex in Splunk?

If you could share some sample of your logs I can help you in this.

are there other (one or more) HFs before the one where you located props and transforms?

The transofrmation muste be applied in the first full Splunk instance where data pass through.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...