Solved: Re: Why is nullQueue configuration not working?

wegscd · ‎08-22-2014

/opt/splunk/etc/system/local/transforms.conf

[WhirlpoolMWGBad]
REGEX=200
DEST_KEY=queue
FORMAT=nullQueue

/opt/splunk/etc/system/local/props.conf

[WhirlpoolMWGLog]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
TRANSFORMS-WhirlpoolMGWBad = WhirlpoolMGWBad

splunkd is restarted.

lines containing '200' should not get indexed, but they are still getting indexed. What am I missing?

Ayn · ‎08-24-2014

You have a transform name mismatch between your props.conf and transforms.conf. In props.conf you call the transform "WhirlpoolMGWBad" whereas you call the transform "WhirlpoolMWGBad" (you've switched the W and G) in transforms.conf.

View solution in original post

Ayn · ‎08-24-2014

You have a transform name mismatch between your props.conf and transforms.conf. In props.conf you call the transform "WhirlpoolMGWBad" whereas you call the transform "WhirlpoolMWGBad" (you've switched the W and G) in transforms.conf.

wegscd · ‎08-25-2014

d'oh! must have looked at that 5 times. Thank you for that.

is there a way to change the logging levels so that Splunk will log if a non-existent stanza is referenced?

starcher · ‎08-23-2014

Have you made sure the props and transforms are on all of your indexers? For Nullqueue work it needs to be on the indexers receiving the events.

MuS · ‎08-22-2014

Does your sourcetype match exactly?

strive · ‎08-22-2014

Can you post your sample log event?

Why is nullQueue configuration not working?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk