Hello All,
I am attempting to filter out specific events from a given input, they're useless and I don't want to waste resources indexing them. I have found a number of seemingly great answers and help pages for how to set this up with a props.conf and transforms.conf. Below are the dumps from btool for my app's inputs.conf, props.conf and transforms.conf:
inputs.conf:
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\inputs.conf [aws_s3://cdn-mkXLVI]
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\inputs.conf aws_account = SplunkIAM
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\inputs.conf bucket_name = testbucket
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\inputs.conf key_name = cflogs
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\inputs.conf sourcetype = mkXLVI:aws:s3
props.conf:
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\props.conf [sourcetype::mkXLVI:aws:s3]
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\props.conf TRANSFORMS-nullQmkXLVI = nullFiltermkXLVI
transform.conf:
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\transforms.conf [nullFiltermkXLVI]
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\transforms.conf DEST_KEY = queue
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\transforms.conf FORMAT = nullQueue
C:\Program Files\Splunk\etc\apps\CDN_MKXLVI\local\transforms.conf REGEX = WebServices
This is my 46th attempt with different variations on how I'm referencing sourcetype, regex style and other pieces and I have been unable to get anything to filter out these records.
My input is an s3 bucket and I'm using the splunk addon for AWS (http://docs.splunk.com/Documentation/AddOns/latest/AWS/Description) Can anyone take a look at what I'm up to here and let me know what I can try to sort this out? My assumption is that I'm not wiring something up correctly in my conf files and the regex is never being applied but I've been failing for over a day now so anything you can tell me to try would be grand.
Thanks,
Pat
... View more