Solved: Why is the Null Queue Not Working?

jordanking1992 · ‎03-07-2018

Hello,

Here is a sample log event I would like to filter:

20180307 11:11:08.795 [process:flow] [INFO] Thread is returning to available thread pool DM.Appl.ThreadPool

Here is current props.conf
[source::/opt/CA/tracelog.txt]
TRANSFORMS-null= setnull

Here is current transforms.conf
[setnull]
REGEX = (?i)[INFO]
DEST_KEY = queue
FORMAT = nullQueue

I would like to send all events that contain [INFO] to null queue but the current configurations on the indexer do not seem to be working. Any thoughts on what might be wrong?

Thanks!

gcusello · ‎03-07-2018

hI jordanking1992,
square parenthesis is a special char for regexes so you have to escape them, try

REGEX = (?i)\[INFO\]

Bye.
Giuseppe

View solution in original post

gcusello · ‎03-07-2018

hI jordanking1992,
square parenthesis is a special char for regexes so you have to escape them, try

REGEX = (?i)\[INFO\]

Bye.
Giuseppe

king2jd · ‎03-07-2018

Giuseppe,

Thank you so much. Cant believe it was something so simple.

Respectfully,
Jordan

gcusello · ‎03-07-2018

Hi hI jordanking1992,
if you're satisfied by this answer please accept and/or upvote it.
Bye.
Giuseppe

Why is the Null Queue Not Working?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life