Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using the transforms.conf file to only forward eve...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JordanPeterson
Path Finder
09-28-2017
02:16 PM
I've got a log file that get's 2 different event formats depending on if debugging is turned on. When debugging is turned on I don't want the debug events forwarded but I do want the normal events forwarded as normal.
I have a regular expression that will only include my normal events that looks like this: [0-9]*:.*[%].*
I know that I can create a transforms.conf file in $SPLUNK_HOME/etc/apps/appName/local to filter events.
In inputs.conf I have the following:
[monitor:///var/log/boot.log]
disabled = false
followTail = 0
index = zod-os
sourcetype = linux_bootlog
I think if I add the following to transforms.conf it will do what I want:
[linux_bootlog]
REGEX = [0-9]*:.*[%].*
What I'm not 100% sure of is if I need to create a props.conf file to point to the transform like I've seen in other answers. I don't want to extract any additional fields other than what Splunk appears to automatically be doing. Also, the debug events are multiline but since they don't match the regex I think they will drop automatically.
Does all of that sound like it will work?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
09-28-2017
02:59 PM
Yes, props.conf is what tells the system when to run the transforms in transforms.conf, so there needs to be a stanza there for your source (or however you want to identify the stuff that you are treating this way).
What I would tend to do is route everything to the nullqueue and then route the matching events back.
[source::/var/log/foo]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing
[setnull]
REGEX=.*
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = [0-9]*:.*[%].*
DEST_KEY = queue
FORMAT = nullQueue
The above is barely changed at all (only the second regex) from this answer... https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
09-28-2017
02:59 PM
Yes, props.conf is what tells the system when to run the transforms in transforms.conf, so there needs to be a stanza there for your source (or however you want to identify the stuff that you are treating this way).
What I would tend to do is route everything to the nullqueue and then route the matching events back.
[source::/var/log/foo]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing
[setnull]
REGEX=.*
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = [0-9]*:.*[%].*
DEST_KEY = queue
FORMAT = nullQueue
The above is barely changed at all (only the second regex) from this answer... https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
morethanyell
Builder
11-17-2019
07:25 PM
setparsing stanza should be FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JordanPeterson
Path Finder
09-28-2017
03:03 PM
This is exactly the kind of thing I needed. Thank you very much.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
