Splunk Search

Can't replace a healthcheck string in nginx

scalp42
New Member

Hi,

I have looked at the docs and tried to remove a line from nginx access log regarding our LB :

192.168.27.169 - - [30/Oct/2012:23:02:53 +0000] "GET /node/lbtest.txt HTTP/1.0" 200 9 "-" "HTTP-Monitor/1.1" "-"

and

Started GET "/node/lbtest.txt" for 127.0.0.1 at 2012-10-30 23:55:58 +0000
Processing by HealthCheckController#lbtest as TXT

Here is my props.conf :

[sourcetype::access_combined_wcookie]
TRANSFORMS-ignore=ignore

[sourcetype::production-2]
TRANSFORMS-null=setnull

[sourcetype::access_combined_wcookie]
TRANSFORMS-null2=nukefromorbit

[host::app*]
SEDCMD-health = s/lbtest/DEVOPS/g

Please note that production-2, access_combined_wcookie sourcetypes parse Nginx logs.

The host sending the event is app-05.

Here is my transforms.conf :

[ignore]
REGEX = (?m)*lbtest*
DEST_KEY = queue
FORMAT = nullQueue

[setnull]
REGEX = lbtest|HealthCheckController
DEST_KEY = queue
FORMAT = nullQueue

[nukefromorbit]
REGEX = *
DEST_KEY = queue
FORMAT = nullQueue

This conf is obviously destructive by nature (as in, way beyond removing this lbtest line, mix-n-matching), as I've tried anything possible to remove this line from the logs.

I have restarted splunk forwarder and I'm running out of solutions.

Thank you in advance.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee
0 Karma

scalp42
New Member

I think it has to be on the forwarder/nginx host.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I guess my point was, is it on the right server?

0 Karma

scalp42
New Member

I'm pretty sure it is :

Parsing

props.conf

LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line     merging settings
TZ, DATETIME_CONFIG, TIME_FORMAT, TIME_PREFIX, and all other time extraction     settings and rules
TRANSFORMS* which includes per-event queue filtering, per-event index    assignment, per-event routing. Applied in the order defined
SEDCMD*
MORE_THAN*, LESS_THAN*

transforms.conf`

stanzas referenced by a TRANSFORMS* clause in props.conf
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...