Hello, I have a couple of questions -
I have a splunk forwarder with the SCOM app forwarding events to my splunk indexer. I have a lot of events forwarding and noticed that it takes a few hours before the events show up via search. How can I determine if this is due to the indexer still processing events or the forwarder being slow sending the events to the indexer?
I'm trying to cut down on the events by filtering out some unneeded events. I don't need any events from this sourcetype that contain "Failure Code: 0x19". Here's what I put in my props.conf & transforms.com
props.conf:
[SCOM:Events:Security]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
KV_MODE=none
TRANSFORMS-null = setnull
transforms.conf:
[setnull]
REGEX = (?m)^.*Failure\s+Code:\s+0x19.*$
DEST_KEY = queue
FORMAT = nullQueue
How can I tell this is working if the indexer is still processing events? Does it process the event when it indexes or when it receives the event from the forwarder? Does the regex look okay to you?
Thanks in advance!
... View more