Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to prevent pattern from being parsed and shown in to the logs.

saxenaamit
New Member
‎08-10-2016 02:24 PM

I am trying to parse this message and sending "Timer_ConnectionIdle" in to nullQueue. I am not using heavy forwarders so that I can't use props.conf and transforms.conf files in the app deployment folder ( where we have inputs.conf file for the related index). I am trying to change/ create files ( props.conf or transforms.conf) in SPLUNK_HOME/etc/system/local as suggested in articles to use indexers if there is a light forwarder.

2016-08-09 14:26:23 10.30.70.180 54809 10.30.15.216 80 - - - - - Timer_ConnectionIdle -
2016-08-09 14:23:28 10.30.60.203 57988 10.30.15.241 80 HTTP/1.1 GET /Ops/Main.asp?Bus_Unit=800024&busUnit=800024&country_id=US&RegionCode=&TabSelect=7&WhichTab=&type=summary - 27 Client_Reset sitedataasp.uat.crowncastle.com+AppPool

I am not getting this working even though I tried changing the location of props.conf and transforms.conf as well as configuration.

Transforms.conf
[null_filter]
REGEX=Timer_ConnectionIdle
DEST_KEY=queue
FORMAT=nullQueue

props.conf
[source::C:\Windows\System32\LogFiles\HTTPERR\httperr54.log]
TRANSFORMS-null=null_filter

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-11-2016 07:36 AM

Put the props and transforms on the universal forwarder AND the indexers.

0 Karma
Reply

sundareshr
Legend
‎08-10-2016 03:54 PM

Try this, restart splunk 

Transforms.conf
[null_filter]
REGEX=Timer_ConnectionIdle
DEST_KEY=queue
FORMAT=nullQueue

props.conf
[source::C:\\Windows\\System32\\LogFiles\\HTTPERR\\httperr54.log]
TRANSFORMS-null=null_filter
0 Karma
Reply

saxenaamit
New Member
‎08-11-2016 06:10 AM

Thanks Sunder. I have already tried it before and didn't get it working.

0 Karma
Reply

sundareshr
Legend
‎08-11-2016 07:35 AM

Did you try escaping the \ And is this on the indexer? Then I would suggest try using sourcetype stanze. Maybe something with the source stanza

0 Karma
Reply

saxenaamit
New Member
‎08-11-2016 08:07 AM

Did you try escaping the `` - I didn't get about what you are indicating.
And is this on the indexer- Yes, we are not using heavy forwarders so, I found that we need to use indexers to get this working.
Then I would suggest try using sourcetype stanze. Maybe something with the source stanza- I have tried with sourceType instead of using source. SourceType value what I used came from inputs.conf. I did't get it working.

Can you list steps to configure by which we can send data to nullQueue without using heavy forwarders? It seems I might be missing a step.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...