Splunk Search
Highlighted

Can you give me some Nullque regex help?

Communicator

On a heavy forwarder, I have the following in the props and transforms files:
props.conf
[source::/opt/TJApplication/.../]
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = (DEBUG|ERROR)
DEST_KEY = queue
FORMAT = nullQueue

Overall this works well to not ingest data from programs running in DEBUG or ERROR mode.

Then, I found another program running in debug mode. However, debug is all lower case. Here is the beginning of one of the events:
[Thu Nov 15 11:59:30 2018] [debug]

I changed the props.conf and transforms.conf as follows:

props.conf
[source::/opt/TJApplication/.../]
TRANSFORMS-null= setnull

[source::/usr/local/.../]
TRANSFORMS-null = setnull

transforms.conf
[setnull]
REGEX = (DEBUG|debug|ERROR)
DEST_KEY = queue
FORMAT = nullQueue

But the [debug] data is not getting sent to the nullqueue.
Any suggestions?

0 Karma
Highlighted

Re: Can you give me some Nullque regex help?

SplunkTrust
SplunkTrust

Have you tried restarting Splunk after that change?

0 Karma
Highlighted

Re: Can you give me some Nullque regex help?

Communicator

yes, I always bounce Splunk after making this type of change.

0 Karma

Re: Can you give me some Nullque regex help?

Communicator

Maybe [source::/usr/local/.../] is wrong?

0 Karma
Highlighted

Re: Can you give me some Nullque regex help?

Communicator

perhaps. I have modified the source as follows and will try that out:

[source::/usr/local/logs/.../*_log]
TRANSFORMS-null = setnull

0 Karma
Highlighted

Re: Can you give me some Nullque regex help?

Communicator

How about you try to use case-insensitive for your regex? Something like this:
...
REGEX = (?i)(debug|error)
...

0 Karma