Re: Can you give me some Nullque regex help?

MikeBertelsen · ‎11-15-2018

On a heavy forwarder, I have the following in the props and transforms files:
props.conf
[source::/opt/TJApplication/.../]
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = (DEBUG|ERROR)
DEST_KEY = queue
FORMAT = nullQueue

Overall this works well to not ingest data from programs running in DEBUG or ERROR mode.

Then, I found another program running in debug mode. However, debug is all lower case. Here is the beginning of one of the events:
[Thu Nov 15 11:59:30 2018] [debug]

I changed the props.conf and transforms.conf as follows:

props.conf
[source::/opt/TJApplication/.../]
TRANSFORMS-null= setnull

[source::/usr/local/.../]
TRANSFORMS-null = setnull

transforms.conf
[setnull]
REGEX = (DEBUG|debug|ERROR)
DEST_KEY = queue
FORMAT = nullQueue

But the [debug] data is not getting sent to the nullqueue.
Any suggestions?

vincenteous · ‎12-12-2018

How about you try to use case-insensitive for your regex? Something like this:
...
REGEX = (?i)(debug|error)
...

osakachan · ‎11-16-2018

Maybe [source::/usr/local/.../] is wrong?

MikeBertelsen · ‎12-12-2018

perhaps. I have modified the source as follows and will try that out:

[source::/usr/local/logs/.../*_log]
TRANSFORMS-null = setnull

Richfez · ‎11-15-2018

Have you tried restarting Splunk after that change?

MikeBertelsen · ‎12-12-2018

yes, I always bounce Splunk after making this type of change.

Can you give me some Nullque regex help?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor