I have two lines of events that are unnecessary because there is no date and would like to null queue these out. I have tried several REGEX statements ( I have tried
^\s+(\<\/ns2:Subject.*\>), <\/ns2:.*\>, and to name a few) to delete these events. The Field Extraction GUI and REGEX online tester show a match. However, these events still show up in the search.
The data which needs to be deleted are as follows:
(Please note there are spaces showing before the events and they are on separate lines)
[TrashEmptySubject] REGEX = ^\s+(\<\/ns2:Subject.*\>) DEST_KEY = queue
[smtrace] TRANSFORMS-null = TrashEmptySubject FORMAT = nullQueue
[smtrace] TRANSFORMS-null = TrashEmptySubject
[TrashEmptySubject] REGEX = [\r\n\s]+<\/ns2:Subject[^>]+> DEST_KEY = queue FORMAT = nullQueue
If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using
_index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.
Thank you for the help. We are not doing any sourcetype overide. We are getting these events directly from a forwarder, passing through one of two HF's (not being indexed), ultimately landing on a Splunk instance which is both search head / indexer. I have edited both the HF's and search head / indexer with these stanzas and we are still seeing these type of events.
Here are my configurations:
TRANSFORMS-null = TrashEmptySubject
REGEX = [\r\n\s]+<\/ns2:Subject[^>]+>
DEST_KEY = queue
FORMAT = nullQueue