https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360991#M43619 <P>I should have added this:<BR /> 3) Strip the raw events of certain bits of data but let the rest of the event string come in.</P> <P>I think you mean #3 but I need you to confirm. I do not at all understand the way that you have phrased the question.</P> Tue, 21 Mar 2017 01:16:25 GMT woodcock 2017-03-21T01:16:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360988#M43616 <P>Hello Team,</P> <P>I have the Splunk Add-on for NetFlow installed on Splunk Heavy Forwarder (HF), receiving data from Netflow enabled device. I am getting the data and it is sent successfully to indexer. I want to filter fields send only specific fields for indexing. Can you let me know how to achieve this?</P> <P>E.g I need to completely remove below fields from indexing. These fields are as is extracted by add-on</P> <PRE><CODE>tcp_flag,fwd_status,src_tos </CODE></PRE> <P>Will the below configuration work? And do I have to perform the change at HF or Indexer level?</P> <P>props.conf</P> <PRE><CODE>[netflow] TRANSFORMS-nullQ= nullFilter </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[nullFilter] REGEX = tcp_flag|fwd_status|src_tos DEST_KEY=queue FORMAT = nullQueue </CODE></PRE> <P>Thanks<BR /> Hemendra</P> Mon, 20 Mar 2017 05:42:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360988#M43616 hemendralodhi 2017-03-20T05:42:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360989#M43617 <P>Do you need to:<BR /> 1) Stop specific fields from being created but allow the events that have that data to be forwarded in?<BR /> 2) Stop the events themselves from coming into Splunk?</P> Mon, 20 Mar 2017 16:54:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360989#M43617 woodcock 2017-03-20T16:54:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360990#M43618 <P>Hello Woodcock,</P> <P>Thanks for your response.</P> <P>Fields were created by Netflow add on (installed on HF) based on the data and it has pre-defined extraction. Data comes in binary format which Add-on converts into ascii format and send to indexers.</P> <P>I want to stop the events for some specific fields to send to Indexer. For e.g. I don't want tcp_flag,fwd_status,src_tos field data to be sent to indexer. There are other fields too which i want to filter out. Based on this sample , I can work them out.</P> <P>Appreciate your help.</P> <P>Thanks<BR /> Hemendra</P> Tue, 29 Sep 2020 13:16:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360990#M43618 hemendralodhi 2020-09-29T13:16:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360991#M43619 <P>I should have added this:<BR /> 3) Strip the raw events of certain bits of data but let the rest of the event string come in.</P> <P>I think you mean #3 but I need you to confirm. I do not at all understand the way that you have phrased the question.</P> Tue, 21 Mar 2017 01:16:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360991#M43619 woodcock 2017-03-21T01:16:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360992#M43620 <P>@hemendralodhi Now showing in a theater near you: <CODE>Splunk Stream 7: The Filtered Dataset</CODE>. Download now at Splunkbase [<A href="https://splunkbase.splunk.com/app/1809">https://splunkbase.splunk.com/app/1809</A>]. Splunk Stream captures Netflow (v5, v9, and IPFIX) and allows you to filter based on the fields being sent in the data AS WELL AS allow you to pick which fields to index. Without using a props or transforms! Read the full documentation here: <A href="http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/ConfigureFlowcollector">http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/ConfigureFlowcollector</A></P> <P>This is to be used in the place of the Netflow Add-On, as it is more robust and scalable. </P> Tue, 21 Mar 2017 13:36:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360992#M43620 alacercogitatus 2017-03-21T13:36:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360993#M43621 <P>See the answer by @alacercogitatus. He is spot on.</P> Tue, 21 Mar 2017 14:20:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360993#M43621 woodcock 2017-03-21T14:20:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360994#M43622 <P>Hello Woodcock,</P> <P>Yes that is correct, I want to strip certain raw events (fields) from the event and then send to indexer.</P> <P>Please advise.</P> <P>Unfortunately , I will not be able to use Splunk Stream for now.</P> Tue, 21 Mar 2017 19:58:28 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360994#M43622 hemendralodhi 2017-03-21T19:58:28Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360995#M43623 <P>Thanks for the recommendation , but I may not be able to use Stream for now but look into it later.</P> Tue, 21 Mar 2017 19:59:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360995#M43623 hemendralodhi 2017-03-21T19:59:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360996#M43624 <P>Actually (without the period):</P> <P><A href="http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/ConfigureFlowcollector">http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/ConfigureFlowcollector</A></P> Tue, 21 Mar 2017 20:01:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360996#M43624 woodcock 2017-03-21T20:01:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360997#M43625 <P>Stream is really your only option here. You cannot <EM>simply</EM> and <EM>easily</EM> remove specific fields from the Netflow traffic using <CODE>props</CODE> and <CODE>transforms</CODE>. You can drop ENTIRE events, yes, but you cannot pull out specific fields. You need stream to do that, otherwise you will be writing some very Nasty <CODE>SEDCMD</CODE> settings.</P> Tue, 21 Mar 2017 20:01:18 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360997#M43625 alacercogitatus 2017-03-21T20:01:18Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360998#M43626 <P>edited thanks!</P> Tue, 21 Mar 2017 20:02:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-NetFlow-How-to-filter-Netflow-data-and-send/m-p/360998#M43626 alacercogitatus 2017-03-21T20:02:06Z