- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ignore Events from Mutiple Sources
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ignore Events from Mutiple Sources
Hi,
I have multiple sources to one sourcetype. I'm trying to drop events and my props and transforms work fine by the sourcetype. However, I want to have different rules by sourcetype.
in Props.conf
[source::MyLogService*.log]
TRANSFORMS-grtrash2 = eliminate-debug
in Transform.conf
[eliminate-debug]
REGEX = (?m)-\s*DEBUG\s*-
DEST_KEY = queue
FORMAT = nullQueue
I've tried different combinations of defining the "source" and props.conf and nothing is working. Real source looks like:
\server\logfolder\MyLogService150520-01.log
Any ideas?
Thank you!
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation says this:
Match expressions must match the entire name, not just a substring. If you are familiar
with regular expressions, match expressions are based on a full implementation of PCRE with the
translation of ..., * and . Thus . matches a period, * matches non-directory separators,
and ... matches any number of any characters.
For more information see the wildcards section at:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards
And the referenced like says this:
Important: Input path specifications in inputs.conf don't use regular expressions (regexes) but rather Splunk-defined wildcards.
So I think it needs to be like this:
[source::.../server\d+folder\$MyLogService\d+-\d+\.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Driving me batty,
With the source name of :
\server001\folder$\MyLogService150515-03.log
I did:
[source::\\server001\folder$\MyLogService*.log]
Still no go. grrr.
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the FULL PATH with literal filename (no RegEx) and work backwards from there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your RegEx is wrong:
[source::.*server\d+folder\$MyLogService\d+-\d+\.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I tried that and its still not working. This was a typo with me masking the real text. I validate my regex here: https://regex101.com/#python to make sure my entire source is captured.
Baffled....
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also changed the source to a full regex. Tested the regex is working correctly. Still not applying the Transforms. I can only get the Transforms to work by using the the sourcetype, baffled with source is not working.
In Props:
[source::.server\d+.folder\$.MyLogService\d+-\d+\.log]
TRANSFORMS-grtrash = setnull , setparsing, badError, badError2
The source:
\server001\folder$\MyLogService150515-03.log
Thanks
Chris
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
