Solved: Re: Can you help me send events to null queue from...

iatwal · ‎09-27-2018

I have these types of logs coming into Splunk today from 3 heavy forwarders (syslog servers) via inputs.conf apps I've deployed from a deployer.

Sep 27 07:11:08 hq1acptrvra1202.me.com ea_tomcat: env=ACPT  profile=claymore Sep 27 07:11:08 hq1acptrvra1202.me.com ea_tomcat: env=ACPT  profile=claymore  (nmon) CMD (/etc/nmon-logger/bin/nmon_helper.sh /etc/nmon-logger /var/log/nmon-logger >> /var/log/nmon-logger/nmon_collect.log 2>&1)

I want to send all events with "nmon" in them to the Null Queue. I created an app to send out props/tranforms to the Heavy Forwarders and for consistency I sent the same to our cluster of indexers. Logs are still coming in. What are we missing?

Source:

/vcaclog/ACPT/broker-fad-api/hq1acptrvra0775.me.com/ea_tomcat.log

everything segment after /vcaclog/ can be dynamic.

props.conf

[source::/vcaclog/*]
TRANSFORMS-null= setnull-test

transforms.conf

[setnull-test]
REGEX = (?m)(nmon)
DEST_KEY = queue
FORMAT = nullQueue

FrankVl · ‎09-27-2018

Try:

[source::/vcaclog/...]

* doesn't match across / characters in source.

View solution in original post

FrankVl · ‎09-27-2018

Try:

[source::/vcaclog/...]

* doesn't match across / characters in source.

iatwal · ‎09-27-2018

Thank you this worked!

FrankVl · ‎09-28-2018

Glad to hear that 🙂

Please mark the answer as accepted, so others can also quickly find this as the correct answer if they stumble upon the same question 🙂

iatwal · ‎09-27-2018

so after /vcacalog/... I should have 3 dots?

493669 · ‎09-27-2018

Yes..
please refer this more info-
http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/Specifyinputpathswithwildcards

Can you help me send events to null queue from a farm of heavy forwarders (syslog servers)?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk