I have two clustered environments consisting of 3 SH,3 Indexers and 1 HWF each running on Splunk 6.4.1.
I need to filter out certain unwanted events coming from jms queues and send them to the nullQueue.
I added below code in HWF in props.conf:
[my_sourcetype]
TRANSFORMS-set= setnull,setparsing
and this in transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?<=mbody=.{51}TQ-123|mbody=.{51}TQ-145)
DEST_KEY = queue
FORMAT = indexQueue
This is working perfectly in one cluster environment but not working in another cluster environment . Since the conf files are the same and so is the version of the splunk forwarders ,indexers and servers, why does filtering fails on the 2nd environment.
Any suggestion as to how to debug this? Or what might be the reason for this?
Thanks !
↧