Getting Data In

Filtering of events using nullQueue

flucman
Explorer

I am having issues filtering data into nullQueue. I have a log where the only lines I want indexed have the string "logit". I found on several sites a solution but the below still lets other strings through as well.

props.conf

[]
SHOULD_LINEMERGE = false
TRANSFORMS-set = setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = logit
DEST_KEY = queue
FORMAT = indexQueue

is there something else that needs added?

Tags (1)
0 Karma

flucman
Explorer

I am updating the props.conf and transforms.conf on the indexers and search head. The location I updated was the etc/system/local files.

It seems to be working now so may have just missed refreshing the configs on an indexer. Thanks!

0 Karma

kristian_kolb
Ultra Champion

btw - you don't have the string <sourcetype> in the props.conf stanza header, do you?

That is meant to be replaced with actual sourcetype for which you want to perform nullQueueing, e.g. [access_combined] or [linux_secure].

/k

kristian_kolb
Ultra Champion

From the look of it, it seems correct.

Are you making the configuration in the correct place? See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/k

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...