Why are we not receiving any logging with transfor...

daniel333 · ‎08-20-2019

All,

I have a 3 part TRANSFORMS.conf in my props.conf, when enable I receive no logging at all. How ever I am not seeing why.

Log Example -

{"Timestamp":"2019-08-20T23:07:27.8115577+00:00","Level":"FATAL","MessageTemplate":"TEST","Properties":{"MachineName":"something","LogType":"ScheduledTasks","App":"ScheduledTasks","Environment":"13"}

Here is my transforms -

# transforms.conf
# By default collect nothing
[nulldefault]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

# Let go ahead and keep Error|Crit|fatal and others
# Also if the dev mentions "splunk" in their log we'll keep it
[keep]
  REGEX=((?i)error|crit|fatal|splunk|ora-|INFO)
  DEST_KEY=queue
  FORMAT=indexQueue

# even with that there is some common garbage
[final]
  REGEX=app_name=SolrCloud
  DEST_KEY=queue
  FORMAT=nullQueue

Not seeing why this would drop all logs.

nareshinsvu · ‎08-20-2019

Did you mention your index name in the inputs.conf, else add this in your transforms.conf and see if it works?

transforms.conf
[keep_index]
   REGEX=((?i)error|crit|fatal|splunk|ora-|INFO)
   DEST_KEY=_MetaData:Index
   FORMAT=<your index name>

props.comf
TRANSFORMS-set = nulldefault,keep,keep_index

Why are we not receiving any logging with transforms.conf?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Why are we not receiving any logging with transforms.conf?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?