The development environment was easy. My indexer cluster production environment (Splunk 6.4.1) is making this difficult. Question is—what am I missing? I believe I have tried everything except the correct thing to filter out unwanted F5 heartbeat entries from the new Tomcat access logs.
What I have is a new Tomcat deployment and I am using Universal Forwarder (UF) to forward the information. I would prefer not to have to deploy a Heavy Forwarder (HF) for several reasons but may have to. Currently, I have all forwarders pointing to an intermediate forwarder where I would like to filter out these unwanted records prior to indexing. The intermediate forwarder points to the Distributed Management Console (DMC) which sends the data to the clustered indexers.
I have the Splunk Add-on for Tomcat on everything now and I already know that UF cannot filter data prior to forwarding. My final attempt before posting this query is on the intermediate HF I have the following configured under
/opt/splunk/etc/system/local/props.conf;
[default]
TRANSFORMS-set = dropChatter
/opt/splunk/etc/system/local/transforms.conf;
[dropChatter]
REGEX = (?m)(192.168.18.23[12])
DEST_KEY = queue
FORMAT = nullQueue
Several other configurations work as planned but those are all local files—this is forwarded data that travels “round the horn” to the indexers. Any help would be appreciated. Believe I have read almost every PDF and answer on this site to no avail. The Splunk Add-on for Tomcat is also installed on this server and configured the same way under /opt/splunk/etc/apps/Splunk_TA_tomcat/local
↧