Search to list all regexp in a stanza that alter t...

Masterbaker · ‎11-10-2017

Hi! I'm using props.conf and transforms.conf (directly on my indexer) to prevent specific events from being indexed by Splunk, to save disk space and keep our licensing costs low.

Example transforms.conf :

[discard_useless_stuff]
REGEX=my_regexp_to_match_unwanted_events
DEST_KEY = queue
FORMAT = nullQueue

I'd like to provide my end users with a dashboard / report that shows them all the stuff that is getting discarded that way so they can look up that search before bugging me for assistance.

Question : Is there a query I could use from splunkweb to list all of the regexps that are in a stanza that is altering the key QUEUE to nullQueue?
Bonus points : Any way to get a metric showing the number of events discarded using this method?
Triple bonus points : Same questions, but when stuff gets discarded on a heavy forwarder?

Thanks!

somesoni2 · ‎11-10-2017

Answer 1: With your transforms.conf entry to filter events are kept in Indexers and Indexers are added as search peer to your Search Heads, run this from your search head to get list of REGEXes.

| rest /services/configs/conf-transforms | search DEST_KEY=queue FORMAT=nullQueue | dedup id

To get the same info from Intermediate Forwarders, you need to add them (or one of them) as search peer to your search head (or instance from which you'd run this query).

Answer 2: This will give you a rough metrics about number of events discarded (uses the nullqueue metrics logs showing nullqueue sizes).

index=_internal sourcetype=splunkd component=Metrics group=queue name=nullqueue current_size>0 | stats sum(current_size) as Discarded_events

This should work for both Indexes are Intermediate forwarders (as long as internal logs are being forwarded to indexes).

Search to list all regexp in a stanza that alter the key QUEUE to nullQueue

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life