Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to list all regexp in a stanza that alter the key QUEUE to nullQueue

Masterbaker
Explorer
‎11-10-2017 12:45 PM

Hi! I'm using props.conf and transforms.conf (directly on my indexer) to prevent specific events from being indexed by Splunk, to save disk space and keep our licensing costs low.

Example transforms.conf : 

[discard_useless_stuff]
REGEX=my_regexp_to_match_unwanted_events
DEST_KEY = queue
FORMAT = nullQueue

I'd like to provide my end users with a dashboard / report that shows them all the stuff that is getting discarded that way so they can look up that search before bugging me for assistance.

Question : Is there a query I could use from splunkweb to list all of the regexps that are in a stanza that is altering the key QUEUE to nullQueue?
Bonus points : Any way to get a metric showing the number of events discarded using this method?
Triple bonus points : Same questions, but when stuff gets discarded on a heavy forwarder?

Thanks!

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎11-10-2017 01:47 PM

Answer 1: With your transforms.conf entry to filter events are kept in Indexers and Indexers are added as search peer to your Search Heads, run this from your search head to get list of REGEXes.

| rest /services/configs/conf-transforms | search DEST_KEY=queue FORMAT=nullQueue | dedup id

To get the same info from Intermediate Forwarders, you need to add them (or one of them) as search peer to your search head (or instance from which you'd run this query).

Answer 2: This will give you a rough metrics about number of events discarded (uses the nullqueue metrics logs showing nullqueue sizes).

index=_internal sourcetype=splunkd component=Metrics group=queue name=nullqueue current_size>0 | stats sum(current_size) as Discarded_events

This should work for both Indexes are Intermediate forwarders (as long as internal logs are being forwarded to indexes).

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...