Hi,
I am able to see logs ingested into Splunk, however, not able to to filter nagios:core logs. Also not able to see _raw field. Please see attached image.
Input stanza used on UF:
[monitor:///usr/local/nagios/var/nagios.log]
index=nagios
sourcetype = nagios:core
Hi @kishor_pinjarkar_ebay,
to filter logs, you have to configure props and transfroms on Indexers or (when present) Heavy Forwarders:
In props.conf, set the TRANSFORMS-null attribute:
[nagios:core]
TRANSFORMS-null= setnull
Create a corresponding stanza in transforms.conf. Find the regex to find the events to discard, set DEST_KEY to "queue" and FORMAT to "nullQueue":
[setnull]
REGEX = regex to filter
DEST_KEY = queue
FORMAT = nullQueue
For more information see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad
Ciao.
Giuseppe
Hi @kishor_pinjarkar_ebay,
to filter logs, you have to configure props and transfroms on Indexers or (when present) Heavy Forwarders:
In props.conf, set the TRANSFORMS-null attribute:
[nagios:core]
TRANSFORMS-null= setnull
Create a corresponding stanza in transforms.conf. Find the regex to find the events to discard, set DEST_KEY to "queue" and FORMAT to "nullQueue":
[setnull]
REGEX = regex to filter
DEST_KEY = queue
FORMAT = nullQueue
For more information see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad
Ciao.
Giuseppe
Sorry to mention you that, filtering is not working in Search.
Means when I write index=### sourcetype=### "keyword for filter"
then I am not able to see anything even though those keywords are present in logs.
Let me know if you need more details. And thank you for your response.
Hi @kishor_pinjarkar_ebay,
what search mode are you using? you have to use Verbose.
Ciao.
Giuseppe
Yes, I tried that earlier. However, same results.
Hi @kishor_pinjarkar_ebay,
what's the behaviour adding search terms one by one, eventually using the Splunk features?
index=nagios
, Ciao.
Giuseppe
Yes, like that it's working 🙂
However, why I am not able to see _raw event when I am expanding the event from right hand side? Any idea?
Hi @kishor_pinjarkar_ebay,
you don't see _raw in the fields list, to have _raw, you have to select the Raw mode in the button over i and Time and on the left of Format.
If this answer solves your question, please accept and/or upvote it.
Ciao and next time.
Giuseppe
Thank you 🙂
You're welcome!
Ciao and next time.
Giuseppe