Hi,
I recently experimented with Splunk transformations in order to discard some log entries ( and that worked well on my lab setup )
I am now trying to implement such solution on our main Splunk Enterprise server in pre-preproduction ( UAT ), but, for some reason, Splunk seems to ignore completly the transformation statements
NB : in order to troubleshoot this behaviour, I already tried lots of things, including, among other things
running splunkd in debug mode
setting global regex(es) which would include everything
checking the configurations using btool
restarting the splunk service ( on the indexer ), countless times
... sadly, without any results so far 😐
Setup : summary
1 x main server / indexer ( Splunk Enterprise 6.4.1 w/ licence )
117 x universal forwarders ( same version as the indexer )
logs which are sent to the indexer : JSON applicative logs
*Setup : forwarder(s) *
/opt/splunkforwarder/etc/system/local/inputs.conf
[...]
[monitor:///var/log/vplatform/latest/app.log.json]
index = vplatform_uat_logs
crcSalt = <SOURCE>
sourcetype = VPLATFORM_JSON
[...]
*Setup : indexer *
/opt/splunkforwarder/etc/system/local/indexes.conf
[vplatform_uat_logs]
homePath = $SPLUNK_DB/vplatform_UAT_logs/db
coldPath = $SPLUNK_DB/vplatform_UAT_logs/colddb
thawedPath = $SPLUNK_DB/vplatform_UAT_logs/thaweddb
/opt/splunk/etc/apps/vplatform_UAT/local/props.conf
[VPLATFORM_JSON]
KV_MODE = none
INDEXED_EXTRACTIONS = JSON
TRUNCATE = 0
TRANSFORMS-null = drop_info_jsons
/opt/splunk/etc/apps/vplatform_UAT/local/transforms.conf
[drop_info_jsons]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue
Behaviour
According to the setup above, all JSON logs sent from the forwarders, with the sourcetype VPLATFORM_JSON, should be discarded
But unfortunately, this isn't the case.
If I issue the a query in the Splunk search app, it still gives results
Query
index="vplatform_uat_logs" sourcetype="VPLATFORM_JSON"
Result sample
{ [-]
@level: INFO
@level_value: 20000
@service_name: vplatform-datamanager
hostname: t1vbbservice.*****
processId: 25568
version: 2.5.0-9243
}
host = t1vbbservice.******
source = /var/log/vplatform/latest/app.log.json
sourcetype = VPLATFORM_JSON
Solution ?
If someone could try to give me a clue about the reason Splunk is apparently not taking the transformation statements present in props & transforms, I would really appreciate it ( I have already spent two days on this issue and still don't understand why it is behaving like this )
Thanks beforehand
... View more