- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need to prevent pattern from being parsed and show...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to prevent pattern from being parsed and shown in to the logs.
I am trying to parse this message and sending "Timer_ConnectionIdle" in to nullQueue. I am not using heavy forwarders so that I can't use props.conf and transforms.conf files in the app deployment folder ( where we have inputs.conf file for the related index). I am trying to change/ create files ( props.conf or transforms.conf) in SPLUNK_HOME/etc/system/local as suggested in articles to use indexers if there is a light forwarder.
2016-08-09 14:26:23 10.30.70.180 54809 10.30.15.216 80 - - - - - Timer_ConnectionIdle -
2016-08-09 14:23:28 10.30.60.203 57988 10.30.15.241 80 HTTP/1.1 GET /Ops/Main.asp?Bus_Unit=800024&busUnit=800024&country_id=US&RegionCode=&TabSelect=7&WhichTab=&type=summary - 27 Client_Reset sitedataasp.uat.crowncastle.com+AppPool
I am not getting this working even though I tried changing the location of props.conf and transforms.conf as well as configuration.
Transforms.conf
[null_filter]
REGEX=Timer_ConnectionIdle
DEST_KEY=queue
FORMAT=nullQueue
props.conf
[source::C:\Windows\System32\LogFiles\HTTPERR\httperr54.log]
TRANSFORMS-null=null_filter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put the props and transforms on the universal forwarder AND the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this, restart splunk
Transforms.conf
[null_filter]
REGEX=Timer_ConnectionIdle
DEST_KEY=queue
FORMAT=nullQueue
props.conf
[source::C:\\Windows\\System32\\LogFiles\\HTTPERR\\httperr54.log]
TRANSFORMS-null=null_filter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Sunder. I have already tried it before and didn't get it working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try escaping the \ And is this on the indexer? Then I would suggest try using sourcetype stanze. Maybe something with the source stanza
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try escaping the `` - I didn't get about what you are indicating.
And is this on the indexer- Yes, we are not using heavy forwarders so, I found that we need to use indexers to get this working.
Then I would suggest try using sourcetype stanze. Maybe something with the source stanza- I have tried with sourceType instead of using source. SourceType value what I used came from inputs.conf. I did't get it working.
Can you list steps to configure by which we can send data to nullQueue without using heavy forwarders? It seems I might be missing a step.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
