Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to nullqueue unnecessary lines without a date

babcolee
Path Finder
‎06-20-2019 01:51 PM

I have two lines of events that are unnecessary because there is no date and would like to null queue these out. I have tried several REGEX statements ( I have tried ^\s+(\<\/ns2:Subject.*\>), <\/ns2:.*\>, and to name a few) to delete these events. The Field Extraction GUI and REGEX online tester show a match. However, these events still show up in the search.
The data which needs to be deleted are as follows:
(Please note there are spaces showing before the events and they are on separate lines)

 </ns2:Subject>
       </ns2:SubjectConfirmation>

transforms.conf

[TrashEmptySubject]
REGEX = ^\s+(\<\/ns2:Subject.*\>)
DEST_KEY = queue

props.conf

[smtrace]
TRANSFORMS-null = TrashEmptySubject
FORMAT = nullQueue
0 Karma
Reply

woodcock
Esteemed Legend
‎06-20-2019 04:11 PM

Try this:

props.conf

[smtrace]
TRANSFORMS-null = TrashEmptySubject

transforms.conf

[TrashEmptySubject]
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

babcolee
Path Finder
‎06-21-2019 06:17 AM

Thank you for your responses. Unfortunately, the events are still showing when I do a search after applying this REGEX

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2019 12:59 PM

If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply

babcolee
Path Finder
‎06-24-2019 09:24 AM

Thank you for the help. We are not doing any sourcetype overide. We are getting these events directly from a forwarder, passing through one of two HF's (not being indexed), ultimately landing on a Splunk instance which is both search head / indexer. I have edited both the HF's and search head / indexer with these stanzas and we are still seeing these type of events.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2019 10:00 AM

My answer definitely should work. Did you notice that you had a line in props.conf that should be in transforms.conf?

0 Karma
Reply

babcolee
Path Finder
‎06-24-2019 10:45 AM

Here are my configurations:

props.conf
[smtrace]
TRANSFORMS-null = TrashEmptySubject

transforms.conf
[TrashEmptySubject]
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply

pruthvikrishnap
Contributor
‎06-20-2019 02:52 PM

add FORMAT = nullQueue to transforms.conf, instead of props.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...