Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null queue example fails to start #1644

Closed
zyphermonkey opened this issue Apr 10, 2022 · 4 comments
Closed

null queue example fails to start #1644

zyphermonkey opened this issue Apr 10, 2022 · 4 comments
Assignees
@rjha-splunk
Labels
documentation Improvements or additions to documentation

Comments

@zyphermonkey
Copy link
Contributor

zyphermonkey commented Apr 10, 2022
edited
Loading

The example conf for filtering events from output to null queue fails to start.

Example Conf

block parser cisco_ios_debug-postfilter() {    
    channel {                    
        #In this case the outcome is drop the event other logic such as adding indexed fields or editing the message is possible
        rewrite { 
           rewrite(r_set_dest_splunk_null_queue);
        };
   };
};
application cisco_ios_debug-postfilter[sc4s-postfilter] {
 filter { 
        "${fields.sc4s_vendor_product}" eq "cisco_ios"
        #Note regex reads as 
        # start from first position
        # Any atleast 1 char that is not a `-`
        # constant '-7-'
        and message('^%[^\-]+-7-');
    }; 
    parser { cisco_ios_debug-postfilter(); };   
};

Startup Output

Apr 10 11:53:44 splunk-sc4s-01 podman[15289]: syslog-ng checking config
Apr 10 11:53:44 splunk-sc4s-01 podman[15289]: sc4s version=2.26.2
Apr 10 11:53:45 splunk-sc4s-01 podman[15289]: starting goss
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: Error parsing parser expression, syntax error, unexpected KW_REWRITE, expecting '}' in block parser cisco_ios_debug-postfilter() at /etc/syslog-ng/conf.d/local/config/app_parsers/syslog/null_example.conf:1:7:12-7:19:
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 2       #Start Block block parser cisco_ios_debug-postfilter() at /etc/syslog-ng/conf.d/local/config/app_parsers/syslog/null_example.conf:1
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 3
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 4           channel {
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 5               #In this case the outcome is drop the event other logic such as adding indexed fields or editing the message is possible
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 6               rewrite {
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 7----->            rewrite(r_set_dest_splunk_null_queue);
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 7----->            ^^^^^^^
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 8               };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 9          };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 10
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 11      #End Block block parser cisco_ios_debug-postfilter() at /etc/syslog-ng/conf.d/local/config/app_parsers/syslog/null_example.conf:1
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 12
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: Included from parser generator app-parser:300:15-300:43:
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 295             # start from first position
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 296             # Any atleast 1 char that is not a
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 297             # constant '-7-'
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 298             and message('^%[^\-]+-7-');
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 299          };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 300--->     parser {  cisco_ios_debug-postfilter();  };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 300--->               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 301         rewrite {
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 302            set-tag('.app.cisco_ios_debug-postfilter');
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 303            set('cisco_ios_debug-postfilter' value('.app.name'));
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 304         };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 305         flags(final);
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: Included from /etc/syslog-ng/conf.d/plugin/app_parser_topics.conf:32:5-32:39:
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 27      parser app-plugin-syslog-fix-program{
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 28          app-parser(topic(fix-invalid-program));
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 29      };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 30
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 31      parser app-plugin-source-postprocess{
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 32---->     app-parser(topic(sc4s-postfilter));
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 32---->     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 33      };
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: Included from /etc/syslog-ng/syslog-ng.conf:41:1-41:1:
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 36
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 37      @include "conf.d/enrich/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 38      @include "conf.d/enrich/*/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 39
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 40      @include "conf.d/plugin/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 41---->
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 41----> ^
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 42      @include "conf.d/sources/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 43      @include "conf.d/sources/*/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 44      @include "conf.d/local/config/sources/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 45      @include "conf.d/local/config/sources/*/*.conf"
Apr 10 11:53:46 splunk-sc4s-01 podman[15289]: 46
@satellite-no
Copy link
Contributor

Hey,
I've had this issue as well. I think the issue is the documentation is out of date and need to be updated. Use the below example to null queue

block parser vmware_vsphere_sps-postfilter() {
    channel {
        rewrite {
		r_set_splunk_dest_update(
			vendor('null') product('queue')
		);
        };
   };
};

application vmware_vsphere_sps-postfilter[sc4s-postfilter] {
 filter {
        netmask(10.80.99.253/32) and
	program("sps")
    };
    parser { vmware_vsphere_sps-postfilter(); };
};

@zyphermonkey
Copy link
Contributor Author

That worked!

I'm going to leave this open though. Would like to hear back from one of the maintainers to see if this is the current way and/or if the documentation needs updated.

@ryanfaircloth
Copy link
Contributor

Should be

block parser cisco_ios_debug-postfilter() {    
    channel {                    
        #In this case the outcome is drop the event other logic such as adding indexed fields or editing the message is possible
           rewrite(r_set_dest_splunk_null_queue);
   };
};
application cisco_ios_debug-postfilter[sc4s-postfilter] {
 filter { 
        "${fields.sc4s_vendor_product}" eq "cisco_ios"
        #Note regex reads as 
        # start from first position
        # Any atleast 1 char that is not a `-`
        # constant '-7-'
        and message('^%[^\-]+-7-');
    }; 
    parser { cisco_ios_debug-postfilter(); };   
};

@satellite-no
Copy link
Contributor

Confirmed its a bug then lol.

@rjha-splunk rjha-splunk added the documentation Improvements or additions to documentation label Apr 23, 2022
@rjha-splunk rjha-splunk self-assigned this Apr 23, 2022
@rjha-splunk rjha-splunk mentioned this issue Jul 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rjha-splunk rjha-splunk

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@satellite-no @zyphermonkey @ryanfaircloth @rjha-splunk