Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ignore Events from Mutiple Sources

chrisboy68
Contributor
‎05-20-2015 03:32 AM

Hi,

I have multiple sources to one sourcetype. I'm trying to drop events and my props and transforms work fine by the sourcetype. However, I want to have different rules by sourcetype.

in Props.conf

[source::MyLogService*.log] 
TRANSFORMS-grtrash2 = eliminate-debug

in Transform.conf

[eliminate-debug]
REGEX = (?m)-\s*DEBUG\s*-
DEST_KEY = queue
FORMAT = nullQueue

I've tried different combinations of defining the "source" and props.conf and nothing is working. Real source looks like:
\server\logfolder\MyLogService150520-01.log

Any ideas?

Thank you!

Chris

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-20-2015 08:12 AM

The documentation says this:

Match expressions must match the entire name, not just a substring. If you are familiar
with regular expressions, match expressions are based on a full implementation of PCRE with the
translation of ..., * and . Thus . matches a period, * matches non-directory separators,
and ... matches any number of any characters.

For more information see the wildcards section at:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

And the referenced like says this:

Important: Input path specifications in inputs.conf don't use regular expressions (regexes) but rather Splunk-defined wildcards.

So I think it needs to be like this:

 [source::.../server\d+folder\$MyLogService\d+-\d+\.log]
0 Karma
Reply

chrisboy68
Contributor
‎05-20-2015 09:39 AM

Driving me batty,

With the source name of :
\server001\folder$\MyLogService150515-03.log

I did:
[source::\\server001\folder$\MyLogService*.log]

Still no go. grrr.

Chris

0 Karma
Reply

woodcock
Esteemed Legend
‎05-20-2015 09:43 AM

Try the FULL PATH with literal filename (no RegEx) and work backwards from there.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-20-2015 07:12 AM

Your RegEx is wrong:

[source::.*server\d+folder\$MyLogService\d+-\d+\.log]
0 Karma
Reply

chrisboy68
Contributor
‎05-20-2015 07:52 AM

Thanks, I tried that and its still not working. This was a typo with me masking the real text. I validate my regex here: https://regex101.com/#python to make sure my entire source is captured.

Baffled....

Chris

0 Karma
Reply

chrisboy68
Contributor
‎05-20-2015 06:47 AM

I also changed the source to a full regex. Tested the regex is working correctly. Still not applying the Transforms. I can only get the Transforms to work by using the the sourcetype, baffled with source is not working.

In Props:

[source::.server\d+.folder\$.MyLogService\d+-\d+\.log]  
TRANSFORMS-grtrash = setnull , setparsing, badError, badError2

The source:
\server001\folder$\MyLogService150515-03.log

Thanks

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...