Hello,
we are successfully logging events from Docker hosts via Splunk adapter (HEC) into splunk.
Problems arise when we try to filter some unwanted events.
I tried to send those events to the NULL-Queue
props.conf
[host::<somehost>]
TRANSFORMS-nullQueueFilterSpecificEvents = filter_setNull_4_specific_events
transforms.conf
[filter_setNull_4_specific_events]
REGEX = <someregex>
DEST_KEY = queue
FORMAT = nullQueue
It doesn't work. Still getting all events unfiltered. One possible reason could be, that depending on the HEC endpoint the events may go through a "structured parsing queue" instead of the normal route and that transformations aren't possible.
Is this a possbiel explanation?
How can I detemine what endpoint is used?
Perhaps the log config in the docker-compose.yml can give some clarification:
logging:
driver: splunk
options:
tag: "ct={{.Name}}"
splunk-token: <sometoken>
splunk-url: https://<splunkhost-fqdn>:<port>;
splunk-format: raw
splunk-insecureskipverify: "true"
The events are not json but unstructured.
Can someone give me a hint or did anyone already successfully filter docker events with transformations in props.conf/transforms.conf.
Thanks in advance!
Regards,
Jens
... View more