I am having issues filtering data into nullQueue. I have a log where the only lines I want indexed have the string "logit". I found on several sites a solution but the below still lets other strings through as well.
props.conf
[
SHOULD_LINEMERGE = false
TRANSFORMS-set = setnull,setparsing
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = logit
DEST_KEY = queue
FORMAT = indexQueue
is there something else that needs added?
I am updating the props.conf and transforms.conf on the indexers and search head. The location I updated was the etc/system/local files.
It seems to be working now so may have just missed refreshing the configs on an indexer. Thanks!
btw - you don't have the string <sourcetype>
in the props.conf stanza header, do you?
That is meant to be replaced with actual sourcetype for which you want to perform nullQueueing, e.g. [access_combined]
or [linux_secure]
.
/k
From the look of it, it seems correct.
Are you making the configuration in the correct place? See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/k