https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67528#M13599 <P>Hi,</P> <P>now is working. I have changed </P> <P>[splunktcp://:22222]</P> <P>for </P> <P>[cisco_asa]</P> <P>thanks</P> Wed, 20 Mar 2013 13:49:52 GMT fahrenheit 2013-03-20T13:49:52Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67522#M13593 <P>Good morning,</P> <P>I have a problem filtering data from UF.</P> <P>The scenario:</P> <P>UF --&gt; Splunk indexer</P> <P>configuration in UF: </P> <H2>inputs.conf</H2> <P>[default]</P> <P>host = server1</P> <P>[monitor:///home/user/prueba/]</P> <P>disabled = false</P> <P>index = firewall</P> <P>sourcetype = cisco_asa</P> <P>queue = parsingQueue</P> <HR /> <H2>outputs.conf</H2> <P>[tcpout]</P> <P>defaultGroup = splunk</P> <P>[tcpout:splunk]</P> <P>disabled = false</P> <P>server = 1.1.1.1:22222</P> <P>compressed = false</P> <P>[tcpout-server://1.1.1.1:22222]</P> <HR /> <H2>Configuration in splunk indexer</H2> <P>/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/props.conf</P> <P>[splunktcp://:22222]</P> <P>TRANSFORMS-set= setnull,setparsing</P> <HR /> <P>/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf</P> <P>[setnull]</P> <P>REGEX = .</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>[setparsing]</P> <P>REGEX = (ASA-4-113019|ASA-5-713120)</P> <P>DEST_KEY = queue</P> <P>FORMAT = indexQueue</P> <P>I received all data and the data isn´t filtred</P> <P>can you help?</P> <P>thanks</P> Mon, 28 Sep 2020 13:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67522#M13593 fahrenheit 2020-09-28T13:33:16Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67523#M13594 <P>I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?</P> <P>You could also do the filtering at the UF.</P> Wed, 20 Mar 2013 12:18:41 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67523#M13594 bjoernjensen 2013-03-20T12:18:41Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67524#M13595 <P>Hi,</P> <P>I just did some testing on this topic using the filtering at the UF.</P> <P>A short addition to what is discribed in the documentation (<A href="http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues">link</A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> I had to keep my entry in the <CODE>inputs.conf</CODE>. For example:</P> <P><CODE>inputs.conf:<BR /> [WinEventLog:Security]<BR /> disabled = 0</CODE></P> <P><CODE>props.conf:<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-set= setnull,setparsing<BR /> disabled = 0</CODE></P> <P><CODE>transforms.conf:<BR /> [setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> <P><CODE>[setparsing]<BR /> REGEX = Protokoll:[\w]+17<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</CODE></P> <P>After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.</P> Wed, 20 Mar 2013 13:04:48 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67524#M13595 bjoernjensen 2013-03-20T13:04:48Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67525#M13596 <P>yes, i have restard splunk web service.</P> <P>Can i filter in UF? i think that isn´t posible, only in heavy forwarder.</P> <P>thanks</P> Wed, 20 Mar 2013 13:10:48 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67525#M13596 fahrenheit 2013-03-20T13:10:48Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67526#M13597 <P>I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF</P> Wed, 20 Mar 2013 13:24:01 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67526#M13597 fahrenheit 2013-03-20T13:24:01Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67527#M13598 <P>if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working</P> <P>thanks</P> Wed, 20 Mar 2013 13:26:38 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67527#M13598 fahrenheit 2013-03-20T13:26:38Z https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67528#M13599 <P>Hi,</P> <P>now is working. I have changed </P> <P>[splunktcp://:22222]</P> <P>for </P> <P>[cisco_asa]</P> <P>thanks</P> Wed, 20 Mar 2013 13:49:52 GMT https://community.splunk.com/t5/Getting-Data-In/problem-filtering-data/m-p/67528#M13599 fahrenheit 2013-03-20T13:49:52Z