Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter logs with the word "version" to nullQueue on the Splunk Cloud Sandbox?

andremidea
Engager
‎04-06-2015 11:52 AM

I'm trying to filter logs with the 'version' word, and send them to the nullQueue.

First of all, i'm using the UniversalForwarder and Splunk Cloud sandbox, i tried to do this by using the config files,

Something like this,

props.conf

[default] 
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = version
DEST_KEY = queue
FORMAT = nullQueue

But it didn't workout, then i read that with Splunk Cloud you need to do these configurations using the GUI.

It's quite confusing how to do this, every documentation is about the Enterprise Version.

I've tried to create a Field Transformation with this options:
regex = version
SourceKey = _raw
format = queue::nullQueue

But again, it doesn't work.

Any Ideas? Thanks.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-11-2015 08:14 AM

The props/transforms have to be setup on the indexers (in this case the splunkcloud instance)
But on sandbox/trials you cannot install your own apps, and cannot reach support to get help.

Therefore the solution is to use a heavy forwarder to be able to parse the events before forwarding them. (see @acharlieh answer)

0 Karma
Reply

acharlieh
Influencer
‎04-06-2015 02:00 PM

I'll readily admit that I'm not on Splunk Cloud, but one option could be to introduce a Heavy Forwarder in your architecture. (So UF -> HF -> Splunk Cloud. )

Since a Heavy Forwarder does all of the parsing (which a UF does not*), and since you control all of the settings here, you can then nullQueue on the Heavy Forwarder (before data leaves your network). If you want more than you ever wanted to know about Splunk's ingestion process I recommend: http://wiki.splunk.com/Community:HowIndexingWorks

* ...Know that in limited circumstances, a UF can also nullQueue, but it's not broadly applicable

Reply

andremidea
Engager
‎04-07-2015 07:17 AM

Thanks, for the help.

I don't think i can have a heavy forwarder with Splunk Cloud, just the UF. I tried to do the props/transforms.conf at UF level but it doesn't works as you said.

I'm trying to use the Splunk GUI to do this, but it doesn't seem to work.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-11-2015 08:15 AM

You can replace the Universal forwarder by a heavy forwarder (install a full splunk, and install the cloud forwarding app)

0 Karma
Reply

acharlieh
Influencer
‎04-07-2015 08:26 AM

According to the Splunk Cloud user manual, the way to get data that requires parsing to Splunk Cloud is to manage a Heavy Forwarder on premises. So I would think that setting up an HF is indeed an option with Cloud.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...