Solved: Problem routing events to nullQueue

nocostk · ‎11-24-2010

I'm trying to get a multi-line log4j event sent to the nullQueue on a Regular forwarder. Here is my inputs/props/transforms.conf:

[monitor:///opt/ShoppingSite/work/logs/tomcat.log]
disabled = false
followTail = 1
sourcetype = log4j

[source::///opt/ShoppingSite/work/logs/tomcat.log]
TRANSFORMS-filtercrap = cleantomcat

[cleantomcat]
REGEX = (?m).+getResponseEntity\nINFO:\s+The\slength\sof\sthe\smessage\sbody\sis\sunknown.+
DEST_KEY = queue
FORMAT = nullQueue

This is the event from my tomcat log I need filtered:

Nov 24, 2010 12:51:18 PM com.noelios.restlet.http.HttpClientCall getResponseEntity
INFO: The length of the message body is unknown. The entity must be handled carefully and consumed entirely in order to surely release the connection.

I've checked my regex using KiKi (Linux regex utility). Anyone have any thoughts? These events are still showing up when I search on my search head.

bfaber · ‎11-25-2010

What happens if you change the props.conf from

[source::///opt/ShoppingSite/work/logs/tomcat.log]

to

[log4j]

and restart the forwarder?

View solution in original post

bfaber · ‎11-25-2010

What happens if you change the props.conf from

[source::///opt/ShoppingSite/work/logs/tomcat.log]

to

[log4j]

and restart the forwarder?

gkanapathy · ‎11-30-2010

source:: clauses should not have the triple slashes /// at the start, just the /. The // is part of inputs monitor syntax.

nocostk · ‎11-26-2010

That seems to work. Why would sourcetype work but not source?

Problem routing events to nullQueue

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!