Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering of events using nullQueue

flucman
Explorer
‎11-15-2013 03:07 PM

I am having issues filtering data into nullQueue. I have a log where the only lines I want indexed have the string "logit". I found on several sites a solution but the below still lets other strings through as well.

props.conf

[]
SHOULD_LINEMERGE = false
TRANSFORMS-set = setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = logit
DEST_KEY = queue
FORMAT = indexQueue

is there something else that needs added?

Tags (1)
0 Karma
Reply

flucman
Explorer
‎11-18-2013 07:14 AM

I am updating the props.conf and transforms.conf on the indexers and search head. The location I updated was the etc/system/local files.

It seems to be working now so may have just missed refreshing the configs on an indexer. Thanks!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎11-17-2013 02:44 AM

btw - you don't have the string <sourcetype> in the props.conf stanza header, do you?

That is meant to be replaced with actual sourcetype for which you want to perform nullQueueing, e.g. [access_combined] or [linux_secure].

/k

Reply

kristian_kolb
Ultra Champion
‎11-16-2013 02:00 AM

From the look of it, it seems correct.

Are you making the configuration in the correct place? See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/k

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...