Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering of events using nullQueue

flucman
Explorer
‎11-15-2013 03:07 PM

I am having issues filtering data into nullQueue. I have a log where the only lines I want indexed have the string "logit". I found on several sites a solution but the below still lets other strings through as well.

props.conf

[]
SHOULD_LINEMERGE = false
TRANSFORMS-set = setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = logit
DEST_KEY = queue
FORMAT = indexQueue

is there something else that needs added?

Tags (1)
0 Karma
Reply

flucman
Explorer
‎11-18-2013 07:14 AM

I am updating the props.conf and transforms.conf on the indexers and search head. The location I updated was the etc/system/local files.

It seems to be working now so may have just missed refreshing the configs on an indexer. Thanks!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎11-17-2013 02:44 AM

btw - you don't have the string <sourcetype> in the props.conf stanza header, do you?

That is meant to be replaced with actual sourcetype for which you want to perform nullQueueing, e.g. [access_combined] or [linux_secure].

/k

Reply

kristian_kolb
Ultra Champion
‎11-16-2013 02:00 AM

From the look of it, it seems correct.

Are you making the configuration in the correct place? See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/k

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...