https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329405#M61091 <P>Are those really joined on one line? If so, then you have no active configurations. It should be like this:</P> <P>$SPLUNK_HOME/etc/system/local/props.conf</P> <PRE><CODE># Filtrage de tout sauf les accept [JuniperFW] TRANSFORMS-remove_juniper_permit = remove_juniper_permit </CODE></PRE> <P>$SPLUNK_HOME/etc/system/local/transform.conf</P> <PRE><CODE># Accepter tout sauf les Permit [remove_juniper_permit] REGEX = action=Permit DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>But the <EM>real</EM> problem is that this needs to be deployed to your <EM>Indexers</EM> (not forwarder) and all Splunk instances there need to be restarted. Then check the newly forwarded/indexed events (old <CODE>Permits</CODE> will still be there). This all assumes that the events have <CODE>sourcetype</CODE> of <CODE>JuniperFW</CODE>.</P> Mon, 11 Sep 2017 14:32:16 GMT woodcock 2017-09-11T14:32:16Z https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329404#M61090 <P>Hi, </P> <P>I parsed a lot of post on splunk answers, but I still have a problem to filter a specific sourcetype.</P> <P>Here the log line I want to trash<BR /> <CODE>Sep 11 16:16:08 192.168.24.35 ROOT_FW_2: NetScreen device_id=ROOT_FW_2 [Root]system-notification-00257(traffic): start_time="2017-09-11 16:15:51" duration=16 policy_id=86 service=smtp (tcp) proto=6 src zone=zone_in dst zone=zone_out action=Permit sent=22056 rcvd=1284 src=192.168.1.1 dst=192.168.10.10 src_port=40049 dst_port=80 src-xlated ip=192.168.100.5 port=40049 dst-xlated ip=10.25.23.55 port=80 session_id=1015055 reason=Close - TCP FIN</CODE></P> <P>On my Formwarder:<BR /> $SPLUNK_HOME/etc/system/local/props.conf<BR /> <CODE># Filtrage de tout sauf les accept<BR /> [JuniperFW]<BR /> TRANSFORMS-Juniper-null = remove_juniper_permit</CODE></P> <P>$SPLUNK_HOME/etc/system/local/transform.conf<BR /> <CODE># Accepter tout sauf les Permit<BR /> [remove_juniper_permit]<BR /> REGEX = action=Permit<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> <P>Splunkd was restarted with no stanza errors<BR /> My Splunk version is 6.6.3.</P> <P>Does anyone should have de clue or a way to debug this ?</P> <P>Thank's a lot.</P> Tue, 29 Sep 2020 15:42:24 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329404#M61090 o_calmels 2020-09-29T15:42:24Z https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329405#M61091 <P>Are those really joined on one line? If so, then you have no active configurations. It should be like this:</P> <P>$SPLUNK_HOME/etc/system/local/props.conf</P> <PRE><CODE># Filtrage de tout sauf les accept [JuniperFW] TRANSFORMS-remove_juniper_permit = remove_juniper_permit </CODE></PRE> <P>$SPLUNK_HOME/etc/system/local/transform.conf</P> <PRE><CODE># Accepter tout sauf les Permit [remove_juniper_permit] REGEX = action=Permit DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>But the <EM>real</EM> problem is that this needs to be deployed to your <EM>Indexers</EM> (not forwarder) and all Splunk instances there need to be restarted. Then check the newly forwarded/indexed events (old <CODE>Permits</CODE> will still be there). This all assumes that the events have <CODE>sourcetype</CODE> of <CODE>JuniperFW</CODE>.</P> Mon, 11 Sep 2017 14:32:16 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329405#M61091 woodcock 2017-09-11T14:32:16Z https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329406#M61092 <P>Hi o.calmels,<BR /> in regex you have to insert a backslash before equal (=) because it's a special char.<BR /> try something like this:<BR /> in props.conf</P> <PRE><CODE>[JuniperFW] TRANSFORMS-Juniper-null = remove_juniper_permit </CODE></PRE> <P>in transforms.conf</P> <PRE><CODE>[remove_juniper_permit] REGEX = action\=Permit DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 11 Sep 2017 14:35:11 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329406#M61092 gcusello 2017-09-11T14:35:11Z https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329407#M61093 <P>Hi woodcock, cusello,</P> <P>Thank's for your response, all the lines are not joined in one line.<BR /> After trying your solutions, i contact splunk support team and the error is simply on the filename ! <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> <P>Yes, I forgive the "s" at the and of <CODE>transforms.conf</CODE></P> <P>Everything OK now !</P> <P>Olivier</P> Thu, 14 Sep 2017 07:26:31 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-filtering-with-props-conf-and-transform-conf/m-p/329407#M61093 o_calmels 2017-09-14T07:26:31Z