I have a setup with two dhcp servers, one Active and one hot-standby server (both running Windows 2012R2)
I have installed the Microsoft Windows DHCP Addon for splunk in my splunk environment and created below inputs.conf file
inputs.conf
[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = source
alwaysOpenFile = 1
disabled = false
whitelist = DhcpSrvLog*
index=test-windows
props.conf
[source::C:\Windows\System32\dhcp\DhcpSrvLog-Sat.log]
TRANSFORMS-set= setnull,setparsing
transforms.conf
[setnull]
REGEX = (?i-s)^.*\bstandby\b.*\R
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =.
DEST_KEY=queue
FORMAT=indexQueue
The goal I want to achieve is to not log the lines with "standby"...
I have tried to achieve the goal with above props.conf and transforms.conf, but I feel a bit ignored by my splunk 😉
below a small part of my test log from the passive (standby) server.
24,04/06/19,13:21:09,Database Cleanup Begin,,,,,0,6,,,,,,,,,0
25,04/06/19,13:21:09,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0
25,04/06/19,13:21:09,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0
36,04/06/19,13:37:17,Packet dropped because of Client ID hash mismatch or standby server.,192.168.1.0,,00155DBE312E,,0,6,,,,,,,,,0
36,04/06/19,13:38:45,Packet dropped because of Client ID hash mismatch or standby server.,192.168.1.0,,00155DBE312E,,0,6,,,,,,,,,0
36,04/06/19,13:41:47,Packet dropped because of Client ID hash mismatch or standby server.,192.168.1.0,,00155DBE312E,,0,6,,,,,,,,,0
I feel i have done as described in the question "How do you exclude all lines with INFO or WARN from being indexed?" but I just can't get it to work.
Any help would be greatly appreciated.
best regards
Hstorm
... View more