Running a Splunk light instance with Linux/Universal Forwarders and I can't seem to filter out data. Reading up doc's, I understand that UF's do not support/read custom props/transforms, so I've configured the following on my indexer -
# pwd /opt/splunk/etc/system/local
props.conf
[source::/var/log/syslog]
TRANSFORMS-set= snmpdSetNull
transforms.conf
[snmpdSetNull]
FORMAT=nullQueue
DEST_KEY=queue
REGEX = snmpd\[[0-9]{1,}\]\:\ Connection\ from\ UDP\:
These should be picked up immediately with a new query (from what I understand) but I have both manually refresh by hitting http://splunkUrl:8000/en-US/debug/refresh/ and fully bouncing the Splunk instance. New instances of the query are still being indexed and are searchable, following format:
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52282->[10.10.10.31]:161
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52283->[10.10.10.31]:161
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52284->[10.10.10.31]:161
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52285->[10.10.10.31]:161
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52286->[10.10.10.31]:161
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52287->[10.10.10.31]:161
Apr 29 12:58:38 serverName snmpd[1153]: Connection from UDP: [10.10.10.48]:52288->[10.10.10.31]:161`
Regex appears valid as I can check with rex and match events:
host=serverName | rex field=Event "(?<snmpd>snmpd\[[0-9]{1,}\]\:\ Connection\ from\ UDP\:)"
I want to completely drop events matching the regex from being indexed. From what I've read, UF's will still send data "across the line" but the above nullQueue statement should prevent events from being indexed. I'm still seeing new events populate though so I'm wondering if it's a syntax issue, my props/transforms is being overridden somewhere, or whether or not this is supported at all with my current set up. Any help would be much appreciated!
/opt/splunk/bin/splunk cmd btool props list
...
...
[source::/var/log/syslog]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRANSFORMS-set = snmpdSetNull
TRUNCATE = 10000
detect_trailing_nulls = false
maxDist = 100
priority =
sourcetype =
... ...
/opt/splunk/bin/splunk cmd btool transforms list
...
...
[snmpdSetNull]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE =
DEST_KEY = queue
FORMAT = nullQueue
KEEP_EMPTY_VALS = False
LOOKAHEAD = 4096
MV_ADD = False
REGEX = snmpd\[[0-9]{1,}\]\:\ Connection\ from\ UDP\:
SOURCE_KEY = _raw
WRITE_META = False
...
...
... View more