i have Splunk monitoring some syslog files. i also have lots of noisy syslog going into syslog, much of it is noise i dont care to index. with just 11 devices i am at 80MB/hr but want to limit that by adding filters to Splunk to not index certain syslog message types, like tcp teardown from my ASA firewalls, etc.
while posting this i did see some suggested related topics but the Q's were either from 2010, or were more recent but relevant to a older version of Splunk.
is there a easy way to click-to-filter events so they are no longer indexed, etc ?
To answer your question in a word, No. You can't click to filter events. However, you can route data you don't want indexed into the nullQueue so you won't incur the licensing cost indexing those events would carry.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad
Specifically, you should review the topic 'Discard specific events and keep the rest'. It gives an example of doing exactly what you're inquiring about in your question.
To answer your question in a word, No. You can't click to filter events. However, you can route data you don't want indexed into the nullQueue so you won't incur the licensing cost indexing those events would carry.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad
Specifically, you should review the topic 'Discard specific events and keep the rest'. It gives an example of doing exactly what you're inquiring about in your question.
Note that the latest link to "Routeandfilterdatad" is under the "Forward" rather than "Deploy" documentation path. https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Next time you need to reload conf files use this:
cd $SPLUNK_BASE
./splunk _internal call /services/data/inputs/monitor/_reload -auth
It will prompt for username & password, this way you don't have to list your admin passwords in bash_history
i have confirmed that trying to reload the conf changes using the cli method as mentioned does not work, i had to do a "service splunk restart". i have v4.3.1
one last comment. this whole reload bit should be written into the init.d script so we can run "service splunk reload" from cli or cron, etc.
Not sure what that is about, but I've done it myself many, many times. From $SPLUNK_HOME/bin/ run './splunk _internal call /services/data/inputs/monitor/_reload -auth admin:youradminpassword'
ok, i got the regex match part. but the reload part is not clear, in the link you provided the last post says "But I have not succeded to reload inputs.conf with this or with wget.", etc.
http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
When setting a [
... recurses through directories until the match is met.
* matches anything but / 0 or more times.
| is equivalent to 'or'
( ) are used to limit scope of |.
So, you'd use ... for this purpose.
Same for inputs.
http://docs.splunk.com/Documentation/Splunk/latest/data/Specifyinputpathswithwildcards
Also, you don't need to restart to reload inputs:
http://splunk-base.splunk.com/answers/5838/can-inputsconf-be-reloaded-without-restarting-splunkd
i went back to using * in source
[source::/logs/syslog/*/*/*/*/log]
i dbl checked conf files, restarted splunk again, and now it seems to be ditching this noise.
i cant use actual src paths because they are dynamic using the wildcard path i show here. when a new syslog-ng host shows up i restart splunk so it can discover the new path/file, etc. i wish Splunk could dynamically recognize new log files in wildcard path but it does not seem to be the case, maybe a workaround for that so i dont have to restart splunk with every new syslog file?
solved for now.
thnx.
I mean by calling the transform in props, as you've done. What is the source field that is shown in your UI? Does it match what you've got here? If not, it probably won't work. That's why it might be easier to use the sourcetype field instead.
all i did was add to the conf files, the documentation says to add to the conf files, and "thats it".
transforms.conf
[setnull]
REGEX = ASA-6-(302021|302020|302014|305011|305013|305014|305012)
DEST_KEY = queue
FORMAT = nullQueue
and props.conf
[source::/logs/syslog/firewalls/fw1/2010/03/log]
TRANSFORMS-null= setnull
how do you mean "call" the transform?
EDIT - i just noticed source error, should be 2012 not 2010. edited and restarting now, so lets see, 1min.
What do your props look like? I don't know how you're calling your transforms.conf, so it could be that you're doing that incorrectly. When this isn't working, I try to make it as simple as possible. For instance, try calling it using sourcetype, and for your regex, use '.', so everything should get routed to the nullQueue. That way, at least I can know if the problem is with the transform or someplace in props.
ok, but its not working. i still get the events in a search. i did restart Splunk after the edits, etc. i am running latest rev, etc.
Yeah, understood. I had just copied/pasted, and must have missed a character. Anyway, that looks like a transform I've set up in the past for someone else, so I think it will work well for you. If you found the information helpful, please feel free to upvote and accept the answer.
comments need \ escaping if you wish to use the \ char in the comment, notice your sshd text is missing the escape char. my ? char is not part of the regex, just there as questionmark punctuation, etc. i tried exactly what i posted but its not working, i suspect the source using wildcard * is not valid ??
this is my actual transdforms syntax:
[setnull]
REGEX = ASA-6-(302021|302020|305011|305013|305014|305012)
DEST_KEY = queue
FORMAT = nullQueue
i tried using actual path for source in props.conf but the events are still showing up. any suggestions?
use OR in REGEX like [sshd]|TEARDOWN|FOO is what you're looking for, as Splunk supports PCRE. If you can do it in PCRE, you can do it in Splunk.
jbsplunk,
the documentation says:
In props.conf, set the TRANSFORMS-null attribute:
[source::/var/log/messages]
TRANSFORMS-null= setnull
Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
[setnull]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = nullQueue
i have 11 log files (from syslog) being monitored, each in their own dir (and more coming), so can i use wildcard for source like [source::/syslog/*/*/*/*/log] ? and then use OR in REGEX like \[sshd\]|TEARDOWN|FOO ? or do i need to create conf statements for each log file?