Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with event filtering - excluding events before indexing

ebailey
Communicator
‎10-07-2013 11:36 AM

I have an overload of events no one wants and are eating up our license so I did the following and it is not working.

I am trying to drop the following message:

"Terminating on fatal IPC exception"

I am running this off of a heavy forwarder:

Here is my props

[source::/opt/logs/all_logs]
TRANSFORMS-null= setnull

Here is my transforms

[setnull]
REGEX = /Terminating on fatal IPC exception/
DEST_KEY = queue
FORMAT = nullQueue

The above is working so well now no events are being forwarded to the indexers. Any idea what I am doing wrong?

Thanks

Ed

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎10-07-2013 03:30 PM

I don't think the REGEX needs the / characters around it unless that is in the actual event. This should be fine:

REGEX = Terminating on fatal IPC exception

But, a stanza name as generic as "setnull" may already existing within configs. I might suggest naming it something more specific like:

[source::/opt/logs/all_logs]
TRANSFORMS-null= setnull-fatalIPCexception

[setnull-fatalIPCexception]
REGEX = Terminating on fatal IPC exception
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎10-07-2013 03:30 PM

I don't think the REGEX needs the / characters around it unless that is in the actual event. This should be fine:

REGEX = Terminating on fatal IPC exception

But, a stanza name as generic as "setnull" may already existing within configs. I might suggest naming it something more specific like:

[source::/opt/logs/all_logs]
TRANSFORMS-null= setnull-fatalIPCexception

[setnull-fatalIPCexception]
REGEX = Terminating on fatal IPC exception
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution

ebailey
Communicator
‎10-08-2013 06:59 AM

this is not a multi-line event - good idea using a search string to test the regex. Thanks

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-07-2013 04:54 PM

Is this a multi-line event? You could try adding (?msi) to the beginning of the regex. You can test the regex in a search string which saves restarting the forwarder.

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎10-07-2013 04:49 PM

BTW - the actual full event is

Oct 7 23:49:04 xxxhostnamexxx lsassd[9246]: 0x3fcc8b90:Terminating on fatal IPC exception

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎10-07-2013 04:48 PM

I made your suggested change and no joy. Now all events are flowing from the heavy forwarder to the indexers. Thanks for your effort.

Ed

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-07-2013 12:01 PM

The config looks good. Somehow you're regex is matching everything. I've used something very similar in the past, but on the indexer. Never tried it on a heavy forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...