https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245175#M47404 <P>Yes, everything, it actually looks like the filtering might not be being applied at all.</P> Thu, 13 Oct 2016 02:24:40 GMT mrgibbon 2016-10-13T02:24:40Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245169#M47398 <P>Hi all, Im trying to do file nullQueue filtering on my HWF.<BR /> I want to keep the log entries for /sausages but drop the ones for /sausages/data</P> <P>So far I have this: (test setup on desktop)<BR /> <STRONG>PROPS.CONF</STRONG><BR /> [source::/home/splunk/Desktop/xxx/fs-audit.log*]<BR /> TRANSFORMS-set= setnull,whitelist,blacklist</P> <P><STRONG>TRANSFORMS.CONF</STRONG><BR /> [setnull]<BR /> REGEX= .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[whitelist]<BR /> REGEX = /sausages<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[blacklist]<BR /> REGEX = /sausages/data<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>I did play with escaping the slashes like \/sausages\/ but that didnt work either.</P> <P>Thanks in advance.</P> Thu, 13 Oct 2016 01:04:16 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245169#M47398 mrgibbon 2016-10-13T01:04:16Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245170#M47399 <P>These configurations are filtering your data on an event by event basis. Am I right in thinking you are wanting to filter out whole log files depending on their location? If so, you probably want to configure this in inputs.conf rather than props.<BR /> Also, for your whitelist and blacklist stanzas, Splunk is looking in _raw for /sausages and /sausages/data. Can these phrases be found in the events that you are filtering out? If so, can you provide an example event?</P> Thu, 13 Oct 2016 02:10:24 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245170#M47399 lquinn 2016-10-13T02:10:24Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245171#M47400 <P>Yes, all the data is in one audit.log file, I want to remove any entries with /sausages/data but keep everything else with /sausages.<BR /> I thought the . regex at the start would kill off any other entries in the file too.</P> Thu, 13 Oct 2016 02:19:26 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245171#M47400 mrgibbon 2016-10-13T02:19:26Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245172#M47401 <P>So are you receiving any events at the moment?</P> Thu, 13 Oct 2016 02:22:39 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245172#M47401 lquinn 2016-10-13T02:22:39Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245173#M47402 <P>Hi mrgibbon, </P> <P>I wonder if you could just directly define your filter criteria in the regex rather than use whitelist and blacklist: </P> <P><STRONG>TRANSFORMS.CONF</STRONG><BR /> [setnull]<BR /> REGEX= /sausages/data<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>It's worth a try. Thanks!<BR /> Hunter</P> Thu, 13 Oct 2016 02:22:53 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245173#M47402 hunters_splunk 2016-10-13T02:22:53Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245174#M47403 <P>So keep the first log entry and nullQueue the 2nd one:</P> <P>2016-09-26T10:17:38+10:00 fort audit: [ID 702911 audit.notice] open(2) - read,write ok session 2315219746 by user as user:user from 23.23.23.23 obj /sausages/KEEPME.DAT</P> <P>2016-09-26T10:17:38+10:00 fort audit: [ID 702911 audit.notice] open(2) - read,write ok session 2315219746 by user as user:user from 23.23.23.23 obj /sausages/data/somecorp/test.DAT</P> Thu, 13 Oct 2016 02:23:04 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245174#M47403 mrgibbon 2016-10-13T02:23:04Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245175#M47404 <P>Yes, everything, it actually looks like the filtering might not be being applied at all.</P> Thu, 13 Oct 2016 02:24:40 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245175#M47404 mrgibbon 2016-10-13T02:24:40Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245176#M47405 <P>yeah, the problem is, that this is just one example in this file, there are many others to add too.<BR /> I just want to start solving a small issue and work on it from there, its driving me nuts.</P> <P>My original transforms.conf looked like this:</P> <P>TRANSFORMS.CONF<BR /> [setnull]<BR /> REGEX= .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[whitelist]<BR /> REGEX = /etc|/usr|/bin|/sbin|/opt|/uniworks|/u|/lib<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[blacklist]<BR /> REGEX = /var|/tmp|/vol|/system|/rpool|/proc|/net|/mnt|/backup|/archive|/devices|/export|/kernel|/platform|/uniworks/data<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> Thu, 13 Oct 2016 02:26:23 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245176#M47405 mrgibbon 2016-10-13T02:26:23Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245177#M47406 <P>Is it possible that you define a sourcetype for all the events you want to exclude from indexing and then you can send data of that sourcetype to nullQueue? <BR /> And just like lguinn suggested, it's advisable to use SOURCE=MetaData.Source to just filter the source. <BR /> Thanks! </P> Thu, 13 Oct 2016 02:42:32 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245177#M47406 hunters_splunk 2016-10-13T02:42:32Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245178#M47407 <P>Sorted it. <BR /> There was a second file added to the inputs.conf and it didn't have the transforms applied to it!<BR /> So I was filtering on just one file, everything from the 2nd file was getting through.<BR /> Thanks so much for the help!!</P> Thu, 13 Oct 2016 02:46:20 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245178#M47407 mrgibbon 2016-10-13T02:46:20Z https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245179#M47408 <P>Glad to know you have figured it out. Cheers! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 13 Oct 2016 02:50:24 GMT https://community.splunk.com/t5/Getting-Data-In/Props-and-Transforms-include-base-folder-but-not-some-sub/m-p/245179#M47408 hunters_splunk 2016-10-13T02:50:24Z