Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to nullqueue unnecessary lines without a date

babcolee
Path Finder
‎06-20-2019 01:51 PM

I have two lines of events that are unnecessary because there is no date and would like to null queue these out. I have tried several REGEX statements ( I have tried ^\s+(\<\/ns2:Subject.*\>), <\/ns2:.*\>, and to name a few) to delete these events. The Field Extraction GUI and REGEX online tester show a match. However, these events still show up in the search.
The data which needs to be deleted are as follows:
(Please note there are spaces showing before the events and they are on separate lines)

 </ns2:Subject>
       </ns2:SubjectConfirmation>

transforms.conf

[TrashEmptySubject]
REGEX = ^\s+(\<\/ns2:Subject.*\>)
DEST_KEY = queue

props.conf

[smtrace]
TRANSFORMS-null = TrashEmptySubject
FORMAT = nullQueue
0 Karma
Reply

woodcock
Esteemed Legend
‎06-20-2019 04:11 PM

Try this:

props.conf

[smtrace]
TRANSFORMS-null = TrashEmptySubject

transforms.conf

[TrashEmptySubject]
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

babcolee
Path Finder
‎06-21-2019 06:17 AM

Thank you for your responses. Unfortunately, the events are still showing when I do a search after applying this REGEX

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2019 12:59 PM

If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply

babcolee
Path Finder
‎06-24-2019 09:24 AM

Thank you for the help. We are not doing any sourcetype overide. We are getting these events directly from a forwarder, passing through one of two HF's (not being indexed), ultimately landing on a Splunk instance which is both search head / indexer. I have edited both the HF's and search head / indexer with these stanzas and we are still seeing these type of events.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2019 10:00 AM

My answer definitely should work. Did you notice that you had a line in props.conf that should be in transforms.conf?

0 Karma
Reply

babcolee
Path Finder
‎06-24-2019 10:45 AM

Here are my configurations:

props.conf
[smtrace]
TRANSFORMS-null = TrashEmptySubject

transforms.conf
[TrashEmptySubject]
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply

pruthvikrishnap
Contributor
‎06-20-2019 02:52 PM

add FORMAT = nullQueue to transforms.conf, instead of props.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...