Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to nullqueue unnecessary lines without a date

babcolee
Path Finder
‎06-20-2019 01:51 PM

I have two lines of events that are unnecessary because there is no date and would like to null queue these out. I have tried several REGEX statements ( I have tried ^\s+(\<\/ns2:Subject.*\>), <\/ns2:.*\>, and to name a few) to delete these events. The Field Extraction GUI and REGEX online tester show a match. However, these events still show up in the search.
The data which needs to be deleted are as follows:
(Please note there are spaces showing before the events and they are on separate lines)

 </ns2:Subject>
       </ns2:SubjectConfirmation>

transforms.conf

[TrashEmptySubject]
REGEX = ^\s+(\<\/ns2:Subject.*\>)
DEST_KEY = queue

props.conf

[smtrace]
TRANSFORMS-null = TrashEmptySubject
FORMAT = nullQueue
0 Karma
Reply

woodcock
Esteemed Legend
‎06-20-2019 04:11 PM

Try this:

props.conf

[smtrace]
TRANSFORMS-null = TrashEmptySubject

transforms.conf

[TrashEmptySubject]
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

babcolee
Path Finder
‎06-21-2019 06:17 AM

Thank you for your responses. Unfortunately, the events are still showing when I do a search after applying this REGEX

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2019 12:59 PM

If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply

babcolee
Path Finder
‎06-24-2019 09:24 AM

Thank you for the help. We are not doing any sourcetype overide. We are getting these events directly from a forwarder, passing through one of two HF's (not being indexed), ultimately landing on a Splunk instance which is both search head / indexer. I have edited both the HF's and search head / indexer with these stanzas and we are still seeing these type of events.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2019 10:00 AM

My answer definitely should work. Did you notice that you had a line in props.conf that should be in transforms.conf?

0 Karma
Reply

babcolee
Path Finder
‎06-24-2019 10:45 AM

Here are my configurations:

props.conf
[smtrace]
TRANSFORMS-null = TrashEmptySubject

transforms.conf
[TrashEmptySubject]
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply

pruthvikrishnap
Contributor
‎06-20-2019 02:52 PM

add FORMAT = nullQueue to transforms.conf, instead of props.conf

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...