×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
vickyingle
Engager
Member since: ‎11-14-2024
‎11-17-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-14-2024
Activity Feed
Topics I've Started
View All

Re: Transforming error logs

by in Splunk Cloud Platform
‎11-17-2024 04:39 PM
‎11-17-2024 04:39 PM
Is there any way I can transform these logs once I receive them in Splunk (cloud) ? These are nginx error logs which contains sensitive data, and in nginx we can not sanitize the error_logs. Any suggestions will be highly appreciated. ... View more

Re: Transforming error logs

by in Splunk Cloud Platform
‎11-17-2024 04:34 PM
‎11-17-2024 04:34 PM
I'm using a universal forwarder, hence the transforms are not working, appreciate your response. ... View more

Transforming error logs

by in Splunk Cloud Platform
‎11-14-2024 10:15 PM
‎11-14-2024 10:15 PM
I'm trying to transform a error log Below is a sample log (nginx_error) 2024/11/15 13:10:11 [error] 4080#4080: *260309 connect() failed (111: Connection refused) while connecting to upstream, client: 210.54.88.72, server: mpos.mintpayments.com, request: "GET /payment-mint/cnpPayments/v1/publicKeys?callback=jQuery360014295356911736334_1731369073329&X-Signature=plkb810sFSSSIbASLb818BMXxgtUM76QNvhI%252FBA%253D&X-Timestamp=1731368881376&X-ApiKey=CSSSAPXXXXXXPxmO7kjMi&X-CompanyToken=d1111e8lV1mpvljiCD2zRgEEU121p&_=1731369073330 HTTP/1.1", upstream: "https://10.20.3.59:28076//cnpPayments/v1/publicKeys?callback=jQuery360014295356911736334_1731369073329&X-Signature=plkb810sFY3jmET4IbASLb818BMXxgtUM76QNvhI%252FBA%253D&X-Timestamp=1731368881376&X-ApiKey=CNPAPIIk7elIMDTunrIGMuXPxmO7kjMi&X-CompanyToken=dX6E3yDe8lV1mpvljiCD2zRgEEU121p&_=173123073330", host: "test.mintpayments.com", referrer: "https://vicky9.mintpayments.com/testing??asd We are trying to 1) GET query parameters must not be logged 2) Referrer must not contain the query string I have updated my config as below [04:59 PM] [root@dev-web01 splunkforwarder]# cat ./etc/system/local/props.conf [source::///var/log/devops/nginx_error.log] TRANSFORMS-sanitize_referer = remove_get_query_params, remove_referer_query [04:59 PM] [root@dev-web01 splunkforwarder]# cat ./etc/system/local/transforms.conf [remove_get_query_params] REGEX = (GET|POST|HEAD) ([^? ]+)\?.* FORMAT = $1 $2 DEST_KEY = _raw REPEAT_MATCH = true [remove_referer_query] REGEX = referrer: "(.*?)\?.*" FORMAT = referrer: "$1" DEST_KEY = _raw REPEAT_MATCH = true Verified that the regex is correct and when I run below to list the changes, its present /opt/splunkforwarder/bin/splunk btool transforms list --debug /opt/splunkforwarder/bin/splunk btool props list --debug Still I can see no transformation in the logs, what could be the issue here ? We are using custom splunkforwarder in our env. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-17-2024 07:59 PM