Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sending data to nullqueue using props and transafoms is not working.

SagarSplunk
Engager
‎07-20-2017 04:56 AM

Hi All,

I am trying to send data to nullqueue so that events will not get indexed. we can save license consumption.

Props.conf

[testfiltering]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
TRANSFORMS-SERVICE = eventsDrop

transforms.conf

[eventsDrop]
REGEX = (?m)^THREAD.SERVICE-.*E2ELoggingSupport.
DEST_KEY = queue
FORMAT = nullQueue

Log details to be filtered
2017-07-05 15:54:30.157 INFO THREAD-1321 SERVICE-[MDP Feeder]_BusinessFlowSelectorService_H075F54304221O1P H075F54304321O1Q E2ELoggingSupport : Payment Id: H075F54304321O1Q, JMS msg received header [Destination=queue:///GPP.FROMDP.SEND.PAYMNT.INSTRCTN.IN,DeliveryMode=2,Expiration=0 null,Priority=4,MessageID=ID:414d51204445564750503032202020205959ceef1000b103,Timestamp=1499233913142 2017-07-05T15:51:53.142,CorrelationID=null,ReplyTo=null,Redelivered=false,Type=null] PropertyNames=[JMS_IBM_Format=MQSTR ][JMS_IBM_Character_Set=UTF-8][JMSXDeliveryCount=1][JMS_IBM_Encoding=273][JMSXUserID=pegapsup ][JMS_IBM_MsgType=8][JMS_IBM_PutApplType=28][JMS_IBM_PutDate=20170705][JMS_IBM_PutTime=05512391][JMSXAppID=hermes.browser.HermesBrowser]

Thanks/Sagar

Tags (1)
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-20-2017 02:31 PM

Your RegEx anchors "THREAD" to the beginning of the line, but it doesn't show up at the beginning of the line. Either add the patterns for timestamp and category to your RegEx or remove the caret (^).

Also, make sure you put those configs where the parsing occurs; probably your indexers.

0 Karma
Reply

SagarSplunk
Engager
‎07-20-2017 08:57 PM

HI SSievert,
Now I changed my configurations as below but still I am unable to filter out the above events. am I missing something? syntax is correct for regex? I trying to filter out events before it index

[eventsDrop]
REGEX = SERVICE-.E2ELoggingSupport.
DEST_KEY = queue
FORMAT = nullQueue

Thanks/Sagar

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-21-2017 12:43 PM

You need an "*" after the first "." to match on more than just one character. You can also skip the last "." Try this:
[eventsDrop]
REGEX = SERVICE-.*E2ELoggingSupport
DEST_KEY = queue
FORMAT = nullQueue
Drop it on your indexer and restart Splunk.

BTW, RegExr is a good tool to test whether your RegEx constructs work. 😉

0 Karma
Reply

SagarSplunk
Engager
‎07-21-2017 11:18 PM

Hi SSievert

I tried above Regex its too not working for me are there limitation for free version of splunk.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-22-2017 11:03 AM

There are limitations in the free version of Splunk, but this is not one of them.
If you make sure that

  • the stanza name in props.conf matches your sourcetype and
  • the stanza name in transforms matches what you used after TRANSFORMS-xxxx= and
  • your RegEx works and matches what you want to match and
  • you deploy props/transforms in the right place (where parsing happens, i.e. indexer or heavy forwarder, NOT universal forwarder)
  • you restart splunk or reload the configuration after making the change

this will work with any version of Splunk Enterprise.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...