Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- REGEX for nullQueue in transforms.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a certain logfile (tied to sourcetype: syslog) inbound from a forwarder which has THIS line in it:
2012-07-02 15:29:52,190 DEBUG [http-0.0.0.0-8080-3] LoggingFilter - url=[/healthCheck/status],
We want to filter out any events ON THE INDEXER SIDE that have this content -> /healthCheck/status.
We tried making the following changes to :
i) $SPLUNK_HOME/etc/system/local/props.conf
[sourcetype::syslog]
TRANSFORMS-null=ignore
and then over at
ii) $SPLUNK_HOME/etc/system/local/transforms.conf
[ignore]
REGEX=healthCheck
DEST_Key=queue
FORMAT=nullQueue
However that does not seem to work and I am certain its because the REGEX is not setup correctly.
I have tried the following alternatives that do not work out either:
1. REGEX= \[(healthCheck)\]
2. REGEX= (^m)(healthCheck)
3. REGEX= \healthCheck\status
4. REGEX= ^\S+\s+(?<healthCheck>\S+)
~~~
Also, is it likely that the changes ought to made to the props.conf and transforms.conf which resides at $SPLUNK_HOME/etc/apps/search/local instead ? Any suggestions ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This regex should match /healthCheck/status
REGEX=/healthCheck/status
None of these characters are special characters to regex. If you want to match [/healthCheck/status], then this should do it
REGEX=\[/healthCheck/status]
If neither of these works, then perhaps the problem is elsewhere. For example it is not
DEST_Key=queue
But
DEST_KEY=queue
So check your transforms.conf and props.conf very carefully. Of course, perhaps that was just a typo in your question here, not in the original file...
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This regex should match /healthCheck/status
REGEX=/healthCheck/status
None of these characters are special characters to regex. If you want to match [/healthCheck/status], then this should do it
REGEX=\[/healthCheck/status]
If neither of these works, then perhaps the problem is elsewhere. For example it is not
DEST_Key=queue
But
DEST_KEY=queue
So check your transforms.conf and props.conf very carefully. Of course, perhaps that was just a typo in your question here, not in the original file...
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I take that back it worked out indeed !
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
