We have a certain logfile (tied to sourcetype: syslog
) inbound from a forwarder which has THIS line in it:
2012-07-02 15:29:52,190 DEBUG [http-0.0.0.0-8080-3] LoggingFilter - url=[/healthCheck/status],
We want to filter out any events ON THE INDEXER SIDE that have this content -> /healthCheck/status
.
We tried making the following changes to :
i) $SPLUNK_HOME/etc/system/local/props.conf
[sourcetype::syslog]
TRANSFORMS-null=ignore
and then over at
ii) $SPLUNK_HOME/etc/system/local/transforms.conf
[ignore]
REGEX=healthCheck
DEST_Key=queue
FORMAT=nullQueue
However that does not seem to work and I am certain its because the REGEX is not setup correctly.
I have tried the following alternatives that do not work out either:
1. REGEX= \[(healthCheck)\]
2. REGEX= (^m)(healthCheck)
3. REGEX= \healthCheck\status
4. REGEX= ^\S+\s+(?<healthCheck>\S+)
~~~
Also, is it likely that the changes ought to made to the props.conf and transforms.conf which resides at $SPLUNK_HOME/etc/apps/search/local instead ? Any suggestions ?
This regex should match /healthCheck/status
REGEX=/healthCheck/status
None of these characters are special characters to regex. If you want to match [/healthCheck/status]
, then this should do it
REGEX=\[/healthCheck/status]
If neither of these works, then perhaps the problem is elsewhere. For example it is not
DEST_Key=queue
But
DEST_KEY=queue
So check your transforms.conf and props.conf very carefully. Of course, perhaps that was just a typo in your question here, not in the original file...
HTH
This regex should match /healthCheck/status
REGEX=/healthCheck/status
None of these characters are special characters to regex. If you want to match [/healthCheck/status]
, then this should do it
REGEX=\[/healthCheck/status]
If neither of these works, then perhaps the problem is elsewhere. For example it is not
DEST_Key=queue
But
DEST_KEY=queue
So check your transforms.conf and props.conf very carefully. Of course, perhaps that was just a typo in your question here, not in the original file...
HTH
I take that back it worked out indeed !