I'm trying to filter some events on an indexer that I'm not interested in. I have a single indexer/search node and three app server nodes that I'm running a SplunkLightForwarder on. The input to each of the SLF is the following (inputs.conf):
[monitor:///home/tomcat1/apache-tomcat-6.0.24/logs]
disabled=false
host=prod_228_1
index=production
There are several different kinds of log files in the logs directory monitored above. I'm trying to filter the following log entries out of localhost_access log files in the above mentioned directory:
10.72.134.3 - - [20/Aug/2010:16:13:55 -0700] "GET /ddp/server/healthCheck " 200 86
I understand that I cannot filter using SLF, so I'm setting up a filter to throw these events away on the indexer node.
In my $(SPLUNK_HOME)/etc/system/locals/props.conf on the indexer node I have the following:
[source::home/tomcat1/apache-tomcat-6.0.24/logs]
TRANSFORMS-null= setnull
In my $(SPLUNK_HOME)/etc/system/locals/transforms.conf on the indexer node I have the following:
[setnull]
REGEX = healthCheck
DEST_KEY = queue
FORMAT = nullQueue
After configuring as described above and restarting, the indexer node is still indexing the healthCheck entries in my log files.
I've checked several questions/answers in this forum and cannot find a resolution to my problem. What am I doing wrong?
I would suggest using a sourcetype in place of source. Since the source will be set to each file under the directory being monitored, the transforms may not match. You can try the following:
On fwd:
[monitor:///home/tomcat1/apache-tomcat-6.0.24/logs] disabled=false host=prod_228_1 index=production sourcetype=apache_logs
On indexer:
[sourcetype::apache_logs] TRANSFORMS-null=setnull [setnull] REGEX = healthCheck DEST_KEY = queue FORMAT = nullQueue
Just one dumb question -- is the "$SPLUNK_HOME/etc/system/locals" a typo? The directory is actually "$SPLUNK_HOME/etc/system/local".