Solved: Not able to filter nagios:core logs after ingestio...

kishor_pinjarka · ‎12-16-2019

Hi,

I am able to see logs ingested into Splunk, however, not able to to filter nagios:core logs. Also not able to see _raw field. Please see attached image.

Input stanza used on UF:

@### local]# cat inputs.conf

[monitor:///usr/local/nagios/var/nagios.log]
index=nagios
sourcetype = nagios:core

gcusello · ‎12-17-2019

Hi @kishor_pinjarkar_ebay,
to filter logs, you have to configure props and transfroms on Indexers or (when present) Heavy Forwarders:
In props.conf, set the TRANSFORMS-null attribute:

[nagios:core]
TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Find the regex to find the events to discard, set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = regex to filter
DEST_KEY = queue
FORMAT = nullQueue

For more information see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad

Ciao.
Giuseppe

View solution in original post

gcusello · ‎12-17-2019

Hi @kishor_pinjarkar_ebay,
to filter logs, you have to configure props and transfroms on Indexers or (when present) Heavy Forwarders:
In props.conf, set the TRANSFORMS-null attribute:

[nagios:core]
TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Find the regex to find the events to discard, set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = regex to filter
DEST_KEY = queue
FORMAT = nullQueue

For more information see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad

Ciao.
Giuseppe

kishor_pinjarka · ‎12-17-2019

Sorry to mention you that, filtering is not working in Search.

Means when I write index=### sourcetype=### "keyword for filter"
then I am not able to see anything even though those keywords are present in logs.

Let me know if you need more details. And thank you for your response.

gcusello · ‎12-17-2019

Hi @kishor_pinjarkar_ebay,
what search mode are you using? you have to use Verbose.

Ciao.
Giuseppe

kishor_pinjarka · ‎12-17-2019

Yes, I tried that earlier. However, same results.

gcusello · ‎12-17-2019

Hi @kishor_pinjarkar_ebay,
what's the behaviour adding search terms one by one, eventually using the Splunk features?

start from index=nagios,
and then choose the sourcetype by Interesting fields panel,
then choose the keywords clicking on them one by one and adding to the search

Ciao.
Giuseppe

kishor_pinjarka · ‎12-18-2019

Yes, like that it's working 🙂

However, why I am not able to see _raw event when I am expanding the event from right hand side? Any idea?

gcusello · ‎12-18-2019

Hi @kishor_pinjarkar_ebay,
you don't see _raw in the fields list, to have _raw, you have to select the Raw mode in the button over i and Time and on the left of Format.

If this answer solves your question, please accept and/or upvote it.

Ciao and next time.
Giuseppe

kishor_pinjarka · ‎12-18-2019

Thank you 🙂

gcusello · ‎12-18-2019

You're welcome!
Ciao and next time.
Giuseppe

Not able to filter nagios:core logs after ingestion

@### local]# cat inputs.conf

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk