- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Cloud Platform
- :
- How avoid the nullroute applying to just one speci...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How avoid the nullroute applying to just one specific source n windows?
I have logs being monitored form winodws as below:
[monitor://D:\Logs\*]
sourcetype = abc
index = def
I also currently have info logs being null routed which applies to all the //D:\Logs\jkl.txt
and therefor we dont see any logs from //D:\Logs\jkl.txt in Splunk.
Now without modifying the nullroute in props and transforms, I want to ingest logs from //D:\Logs\jkl.txt, how can i avoid the null route to not apply on this specific logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way just to exclude specific sources form the transforms null-route?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@deepakc Sorry, I missed to mention, my monitor is:
[monitor://D:\Logs\*]
sourcetype = abc
index = def
and the transforms is set to:
REGEX=(Info|info|Information|debug|Debug|Verbose)
DEST_KEY = queue
FORMAT = nullQueue
And, my //D:\Logs\jkl.txt have all info logs and therefore does not ingest currently because of the transform but now I want to ingest this file but removing the transforms will ingest info logs from other sources as well which I dont want.
How can I proceed?
But now I want to ingest the
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As your current inputs is set for scraping all the logs from the folder D:\logs and then you are sending various events from the those logs to null and now you want to be more selective in terms of one log file that you want for info level information and still keep the others from sending some type of events, this becomes a little tricky without testing and having a tinker.
Some options that may work:
Option 1 You might want to move that log (jkl.txt) to another folder or a sub folder and monitor it separately with another monitor, props and transforms so you can control it, this would leave the other's where they are and you can ingest this one now and filter on it as well.
Option 2 Rework your current props and transforms - you may be able to set by source in props, do this for all your other logs and send them to null, either way this all needs some level config and testing out.
[source::...my_otherlog.txt]
TRANSFORMS-my_otherlog = my_otherlog_file_null- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don’t think you can.
Setting null routing should come first in your props and transforms (Left to right order) otherwise all the data will get discarded, so look at the order of your props, I'm sure the null is first order which defines the jkl.txt logs.
What you want to do now is to explicitly add the jkl.txt for ingest, so the method would be to whitelist only the files you want to be logged as in the example below.
[monitor://D:\Logs\*]
sourcetype = abc
index = def
whitelist=(*jkl.txt|*myother_files.txt)
So, me thinks you may have to modify the null routing or disable it.
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
