- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Yet another transform nullqueue formatting issue (...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having no success in filtering out the "-- MARK --" messages from my syslogs.
Here is my props.conf:
[source::\\syslog*]
sourcetype = syslog
TRANSFORMS = marker
transforms.conf:
[marker]
FORMAT=nullQueue
DEST_KEY=queue
REGEX=-- MARK --
Example raw source data:
Mar 12 15:54:43 ReadyNAS01 -- MARK --
Mar 12 15:34:43 ReadyNAS01 -- MARK --
Mar 12 15:14:43 ReadyNAS01 -- MARK --
Mar 12 14:54:43 ReadyNAS01 -- MARK --
Mar 12 14:34:43 ReadyNAS01 -- MARK --
Mar 12 14:14:43 ReadyNAS01 -- MARK --
I've tried following just about every example posted here, as well as the default ones... nothing seems to work. The only other idea is I'm editing the "wrong" props.conf... but Splunk has consumed other changes from that exact configuration file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved!
I was close when I thought I was editing the "wrong" props.conf and transforms.conf Unfortunately the UI change I made put me on a wild goose chase.
The correct files to edit (for a Windows install) are located in $SPLUNK_HOME\etc\system\local\*.conf
My syslog is now properly filtering out -- MARK --
But, this means my sourcetypes are all messed up because they were all in the "admin" version of the props.conf (and not properly being set). Looks like some bulk export/importing is in my near future 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved!
I was close when I thought I was editing the "wrong" props.conf and transforms.conf Unfortunately the UI change I made put me on a wild goose chase.
The correct files to edit (for a Windows install) are located in $SPLUNK_HOME\etc\system\local\*.conf
My syslog is now properly filtering out -- MARK --
But, this means my sourcetypes are all messed up because they were all in the "admin" version of the props.conf (and not properly being set). Looks like some bulk export/importing is in my near future 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, final try (before I throw something valuable/dangerous)...
Reading through this post:
http://answers.splunk.com/answers/2775/regexs-and-windows-paths-in-inputs-conf-and-props-conf.html#a...
... I now have a better idea on how pattern matches work for Windows-based Splunk sources. I think the double \\ I was using Is not matched, so the "source" of ...\\syslog matches nothing. I can't remember which Answers post I read had the "escaped" slash version for Windows-specific sources... but I know I read it at some point.
I have changed just the props.conf entry again to:
[source::...syslog*]
sourcetype = syslog
TRANSFORMS-null = marker
20 minutes will tell...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nailed down the exact locations of the files that Splunk expects to use (by creating a new "transform" in the UI, and locating that file). I think the reason I have so many props and transforms files is the install is a bit "dirty". I installed the enterprise version, then had a temporary 6 month dev license, then finally changed to free licensing (since my indexing is well under 500mb/day).
My "active" .conf file locations (Windows 7 install): C:\Program Files\Splunk\etc\users\admin\search\local\*.conf
Still no dice with getting the nullQueue to work...
My next thought was maybe the props.conf is not catching it so I changed it to the exact source:
[source::A:\\Splunk\\readynas01\\syslog*]
sourcetype = syslog
TRANSFORMS-null = marker
And transforms.conf:
[marker]
FORMAT=nullQueue
DEST_KEY=queue
REGEX=\s--\sMARK\s--
(side question: why is nullQueue not a valid entry for FORMAT in the Field transformations UI?! This would make it possible to set these types of changes up via the UI... but, if you try to use it (by editing the regex) in the existing send_to_nullqueue Field transformation, it fails to save with an "Invalid FORMAT: nullQueue" error.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- check the
TRANSFORMSoption in props.conf, it should be likeTRANSFORMS-whateveryouwant = marker - use as regex for whitespaces a
\sHope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll try that. I think I can reload the transforms with just | extract reload=t. But in light of all the problems, I've restarted... now I wait for 20 minutes for the next "marker"...
I also edited all three of the 'transforms.conf' files (save for the one with the comment that says "do not edit") in the following locations:
Splunk\etc\users\admin\search\local\
Splunk\etc\apps\search\local\
Splunk\etc\apps\splunk_management_console\default\
(edit)
Nope, still getting " -- MARK --" entries.
Here's the new transforms.conf
FORMAT=nullQueue
DEST_KEY=queue
REGEX=\s--\sMARK\s--
I found additional props.conf file in \etc\users\admin\search\local\ and edited that one as well... I suspect this is the "correct" one to use since it has the brand-new field extractions I created...
Index This | What are the 12 Days of Splunk-mas?
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
