Getting Data In

Event data filtering working in one environment but not in other.

jincy_18
Path Finder

I have two clustered environments consisting of 3 SH,3 Indexers and 1 HWF each running on Splunk 6.4.1.
I need to filter out certain unwanted events coming from jms queues and send them to the nullQueue.

I added below code in HWF in props.conf:

[my_sourcetype]
TRANSFORMS-set= setnull,setparsing

and this in transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?<=mbody=.{51}TQ-123|mbody=.{51}TQ-145)
DEST_KEY = queue
FORMAT = indexQueue

This is working perfectly in one cluster environment but not working in another cluster environment . Since the conf files are the same and so is the version of the splunk forwarders ,indexers and servers, why does filtering fails on the 2nd environment.

Any suggestion as to how to debug this? Or what might be the reason for this?

Thanks !

0 Karma
1 Solution

hortonew
Builder

Assuming you've restarted splunk on your HWF in the non-working environment:

1. make sure you have permissions set the same in metadata folder
2. compare btool entries

Go to each and run:

splunk cmd btool props list --debug
splunk cmd btool transforms list --debug

First find the entry in props and make sure that sourcetype has your transforms applied.

View solution in original post

0 Karma

hortonew
Builder

Assuming you've restarted splunk on your HWF in the non-working environment:

1. make sure you have permissions set the same in metadata folder
2. compare btool entries

Go to each and run:

splunk cmd btool props list --debug
splunk cmd btool transforms list --debug

First find the entry in props and make sure that sourcetype has your transforms applied.

0 Karma

jincy_18
Path Finder

Thanks hortonew , suggestions were very useful.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @jincy_18, if @jortonew's response solved your problem, please accept the answer to award karma points and to close the question. Happy Splunking!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...