Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter Input data from universalforwarder port_9514

mayler
Path Finder
‎04-24-2012 03:15 PM

First, thanks for taking the time to look at this. Hopefully I'll be able to provide all the information you need to help me out.

I have several extremely chatty windows servers (AD 2008) with a universal forwarder installed (4.3.1 build 119532). They're forwarding windows events to my Splunk Server(same version and build) over tcp 9514. So the Splunk Server is configured to receive on tcp_9514.

in /etc/system/local/props.conf
[default]
TRANSFORMS-wmi=wminull

in /etc/system/local/transforms.conf

[wminull]
REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)
DEST_KEY=queue
FORMAT=nullQueue

The problem is I'm still indexing events mentioned in the regex. This configuration worked in our test environment. I'm not sure where to start troubleshooting this. I think it's all configured correctly.

metrics.log (one host)

INFO Metrics - group=tcpin_connections, 10.1.57.202:49328:9514, connectionType=cooked, sourcePort=49328, sourceHost=10.1.57.202, sourceIp=10.1.57.202, destPort=9514, _tcp_Bps=51043.12, _tcp_KBps=49.85, _tcp_avg_thruput=364.65, kb=1463.47, _tcp_Kprocessed=35517.31, _tcp_eps=36.85, build=119532, version=4.3.1, os=Windows, arch=x64, hostname=dccoslo2, guid=526275C8-DEC9-4F06-BD7B-30EFB3158043, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false

0 Karma
Reply

mayler
Path Finder
‎04-25-2012 11:59 AM

Unfortunately, there is no answer to the issue I experienced.

Removed my splunk install completely and re-installed the latest version as a fresh install. I only kept my transforms and props.conf files. Everything else is brand new.

And the filter is working. I suspect Ayn was on the right track. Something in my configuration was not right. Thanks for the help!

0 Karma
Reply

Ayn
Legend
‎04-24-2012 11:23 PM

Just one thought - did you make sure that your transform identifier (the "wmi" part in "TRANSFORMS-wmi") isn't duplicated anywhere? These identifiers need to be unique, so if they're not that will cause undefined behaviour.

Reply

mayler
Path Finder
‎04-25-2012 09:58 AM

I searched again, this time at /etc/* but still no joy. I really thought that might have been it this time! 🙂 So we all agree the syntax, etc. is good. And this did work in our test environment. But the test environment was brand new. I think I'll just backup my .conf files and install fresh. I'll update.

0 Karma
Reply

Ayn
Legend
‎04-25-2012 09:04 AM

Note that there are other paths than etc/system that props.conf can reside in. For instance all apps in etc/apps.

0 Karma
Reply

mayler
Path Finder
‎04-25-2012 08:17 AM

thank you for the suggestion. I grep -irn TRANSFORMS-wmi /opt/splunk/etc/system/*

only shows the one entry in /local/props.conf

0 Karma
Reply

mwhite_splunk
Splunk Employee
Splunk Employee
‎04-24-2012 03:18 PM

A similar thing is talked about here:

http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs

Reply

mayler
Path Finder
‎04-24-2012 04:46 PM

thank you for pointing that out. I tried using that earlier but no luck.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...