I am trying to filter out events whenever the "healthcheck" url below appears.
2012-07-02 15:29:52,190 DEBUG [http-0.0.0.0-8080-3] LoggingFilter - url=[/healthCheck/status],
These events are intercepted by the indexer from VARIOUS SOURCETYPES (in this example sourcetype=syslog
and sourcetype=applog
)
Does this setup look ok ? When configured in this manner, this filter WORKS EXCEPT it only works for sourcetype=syslog
. It SHOULD work for both:
Indexer Configuration :
i) $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS-null=setnull
[applog]
TRANSFORMS-null=setnull
ii) $SPLUNK_HOME/etc/system/local/transforms.conf
[setnull]
REGEX=\[/healthCheck/status]
DEST_Key=queue
FORMAT=nullQueue
Finally got it work. Had to just move it around quite a bit but it worked out.
For those that care, this is how I got those two sourcetypes to work:
From props.conf and transforms.conf respectively:
[syslog]
TRANSFORMS-null = setnull
[applog]
TRANSFORMS-null = ignore
[setnull]
REGEX=healthCheck
DEST_KEY=queue
FORMAT=nullQueue
[ignore]
REGEX=\[/healthCheck/status]
DEST_KEY=queue
FORMAT=nullQueue
Apparently the key is to NOT use the same REGEX in both places. No idea (?) but it worked out 🙂
Finally got it !
Finally got it work. Had to just move it around quite a bit but it worked out.
For those that care, this is how I got those two sourcetypes to work:
From props.conf and transforms.conf respectively:
[syslog]
TRANSFORMS-null = setnull
[applog]
TRANSFORMS-null = ignore
[setnull]
REGEX=healthCheck
DEST_KEY=queue
FORMAT=nullQueue
[ignore]
REGEX=\[/healthCheck/status]
DEST_KEY=queue
FORMAT=nullQueue
Apparently the key is to NOT use the same REGEX in both places. No idea (?) but it worked out 🙂
As a test you might try changing your regex to '.', just to see if it working at all. It sounds like something is going on with the sourcetype. You could also try setting up a props entry with source/host instead of sourcetype, just to test.
Just tried this. For some bizzare reason its STILL doing it for the first one and not the second one.
Ok what about wildcarding the sourcetype for one entry in props.conf.
[(::){0}*log]
Yup. I tried tricking Splunk in this manner but that did not seem to work.
Given that it's working only for syslog you might try a different entry for applog. Call it whatever 'setnullapp', reference it in props and add that in your transforms.