Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can't replace a healthcheck string in nginx

scalp42
New Member
‎10-30-2012 05:01 PM

Hi,

I have looked at the docs and tried to remove a line from nginx access log regarding our LB :

192.168.27.169 - - [30/Oct/2012:23:02:53 +0000] "GET /node/lbtest.txt HTTP/1.0" 200 9 "-" "HTTP-Monitor/1.1" "-"

and 

Started GET "/node/lbtest.txt" for 127.0.0.1 at 2012-10-30 23:55:58 +0000
Processing by HealthCheckController#lbtest as TXT

Here is my props.conf :

[sourcetype::access_combined_wcookie]
TRANSFORMS-ignore=ignore

[sourcetype::production-2]
TRANSFORMS-null=setnull

[sourcetype::access_combined_wcookie]
TRANSFORMS-null2=nukefromorbit

[host::app*]
SEDCMD-health = s/lbtest/DEVOPS/g

Please note that production-2, access_combined_wcookie sourcetypes parse Nginx logs.

The host sending the event is app-05.

Here is my transforms.conf :

[ignore]
REGEX = (?m)*lbtest*
DEST_KEY = queue
FORMAT = nullQueue

[setnull]
REGEX = lbtest|HealthCheckController
DEST_KEY = queue
FORMAT = nullQueue

[nukefromorbit]
REGEX = *
DEST_KEY = queue
FORMAT = nullQueue

This conf is obviously destructive by nature (as in, way beyond removing this lbtest line, mix-n-matching), as I've tried anything possible to remove this line from the logs.

I have restarted splunk forwarder and I'm running out of solutions.

Thank you in advance.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-30-2012 11:14 PM

Are you sure this configuration is in the right place? See http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Configurationparametersandthedatapipeline

0 Karma
Reply

scalp42
New Member
‎10-31-2012 04:13 PM

I think it has to be on the forwarder/nginx host.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-31-2012 11:53 AM

I guess my point was, is it on the right server?

0 Karma
Reply

scalp42
New Member
‎10-31-2012 11:18 AM

I'm pretty sure it is :

Parsing

props.conf

LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line     merging settings
TZ, DATETIME_CONFIG, TIME_FORMAT, TIME_PREFIX, and all other time extraction     settings and rules
TRANSFORMS* which includes per-event queue filtering, per-event index    assignment, per-event routing. Applied in the order defined
SEDCMD*
MORE_THAN*, LESS_THAN*

transforms.conf`

stanzas referenced by a TRANSFORMS* clause in props.conf
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...