My Heavy Forwarder forwards data to the indexer fine, however, I wanted to filter out some events before being forwarded using props.conf and transforms.conf, but the indexer still receives everything.
props.conf:
[source::/var/log/vsftpd.log]
TRANSFORMS-null = setnull
transforms.conf:
[setnull]
REGEX = 220
DEST_KEY = queue
FORMAT = nullQueue
for testing, I just simplified the REGEX to filter out all events containing "220"
I even tried REGEX = .
(to filter out everything) but still had no effect.
What am I missing?
I'm using Splunk 6.2.5 BTW.
Mystery solved!
per Splunk support recommendation, i reinstalled a fresh splunk 6.2.5 and everything worked as expected.
I guess the problem is that my previous 6.2.5 installation was an upgrade from 6.0.1
Shouldn't have to do that but hey it works now.
Mystery solved!
per Splunk support recommendation, i reinstalled a fresh splunk 6.2.5 and everything worked as expected.
I guess the problem is that my previous 6.2.5 installation was an upgrade from 6.0.1
Shouldn't have to do that but hey it works now.
just open a new case with splunk support.
will post the results when the case is resolved.
Try like this (changes to transforms.conf, keep the same props.conf)
transforms.conf
[setnull]
REGEX = (220)
DEST_KEY = queue
FORMAT = nullQueue
Also, ensure to restart the heavy forwarder after change.
same results.
just for testing, i brought the props.conf/transforms.conf to the indexer and it filtered as expected.
so it must be something on the forwarder side.
not sure if it helps, but the "cmd btool" dumped this info:
% /opt/splunk/bin/splunk cmd btool transforms list setnull
[setnull]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE =
DEST_KEY = queue
FORMAT = nullQueue
KEEP_EMPTY_VALS = False
LOOKAHEAD = 4096
MV_ADD = False
REGEX = 220
SOURCE_KEY = _raw
WRITE_META = False