https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393338#M70237 <P>Thank you .How to add another event name in that REGEX , is there a syntax to add and ca the stanza TRANSFORMS-drop_eventname_getobject = drop_eventname_getobject be used for all multiple source types if they have the same kind of data or do we need to create another one?</P> Wed, 30 Sep 2020 01:29:16 GMT vrmandadi 2020-09-30T01:29:16Z https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393334#M70233 <P>I have json type of data and below is the sample events .I want to filter out the events which have the field called event name with <BR /> vale GetObject i.e . eventName=GetObject </P> <P>sample event 1</P> <P>{"awsRegion": "xx", "recipientAccountId": "1111111111", "responseElements": null, "eventVersion": "1.05", "userAgent": "aws-sdk-java/1.11.569 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation", "sourceIPAddress": "54.xx.xx.xxx", "eventID": "25ac22f1-510c-461d-9c3f-4ef9010e6754", "requestID": "adaca173-a9d9-11e9-b947-41a6f2f9bb94", "eventName": "<STRONG>GetObject</STRONG>", "eventType": "AwsApiCall", "requestParameters": {"maxRecords": 100}, "userIdentity": {"accessKeyId": "edgwrhrhrwhwr", "principalId": "AROAJQQOLVHH4PVA7NPZM:redlock", "type": "AssumedRole", "arn": "arn:aws:sts::583542881430:assumed-role/RedLockReadOnlyCyber/redlock", "sessionContext": {"attributes": {"mfaAuthenticated": "false", "creationDate": "2019-07-19T03:45:44Z"}, "sessionIssuer": {"principalId": "AROAJQQOLVHH4PVA7NPZM", "userName": "ddd", "accountId": "ddd", "type": "Role", "arn": "arn:aws:iam::533333333:role/lockr"}}, "accountId": "111111"}, "eventSource": "asss.com", "eventTime": "2019-07-19T03:59:59Z"}</P> <P>sample event 2<BR /> {"awsRegion": "xx", "recipientAccountId": "1111111", "responseElements": null, "eventVersion": "1.05", "userAgent": "aws-sdk-java/1.11.569 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation", "sourceIPAddress": "11.xx.xx.xxxx", "eventID": "25f2b67b-802d-4736-b218-6044ce605ed9", "requestID": "ad7e8c91-a9d9-11e9-b947-41a6f2f9bb94", "eventName": "<STRONG>DescribeAutoScalingGroups</STRONG>", "eventType": "AwsApiCall", "requestParameters": {"maxRecords": 100}, "userIdentity": {"accessKeyId": "ASXXXXXXXXXXXXXXX", "principalId": "AROAJQQSFGWEGEG:redlock", "type": "AssumedRole", "arn": "arn:aws:sts::123425413513:assumed-role/R/redl", "sessionContext": {"attributes": {"mfaAuthenticated": "false", "creationDate": "2019-07-19T03:45:44Z"}, "sessionIssuer": {"principalId": "AROEGEDG", "userName": "RedLockReadOnlyCyber", "accountId": "12222222", "type": "Role", "arn": "arn:aws:iam::22222222:role/OnlyCyber"}}, "accountId": "23333333"}, "eventSource": "autoscaling.amazonaws.com", "eventTime": "2019-07-19T03:59:59Z"}</P> <P>Thanks in advance</P> Wed, 30 Sep 2020 01:21:04 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393334#M70233 vrmandadi 2020-09-30T01:21:04Z https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393335#M70234 <P>On your Indexers (or HFs if you use them), do this:</P> <P>In props.conf:</P> <PRE><CODE>[&lt;Your sourcetype here&gt;] TRANSFORMS-drop_eventname_getobject = drop_eventname_getobject </CODE></PRE> <P>In transforms.conf:</P> <PRE><CODE>[drop_eventname_getobject] REGEX = ,\s*"eventName":\s*"GetObject", DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Fri, 19 Jul 2019 23:21:12 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393335#M70234 woodcock 2019-07-19T23:21:12Z https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393336#M70235 <P>Thank You @woodcock it worked .What exactly is the syntax that this REGEX you have written uses .You have used \s* which searches for white space character but in the data there is no space for , "eventName": "GetObject", and you have used comma "," with escaping it in / and finally you have used the "eventName": and "GetObject" literally the word .</P> <P>Is this different kind of syntax that is used .Can you please explain how this works and if we want to add another event name should I just add another line in transforms called REGEX or how to add multiple filters </P> Mon, 22 Jul 2019 18:48:09 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393336#M70235 vrmandadi 2019-07-22T18:48:09Z https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393337#M70236 <P>I like to code for obvious/predictable variants so that, as much as possible, my RegEx is future-proof. It is true that this means that my RegEx is not quite as efficient as it optimally could be, but I believe that the fault-tolerance is worth it. Most people will not agree with me.</P> Tue, 23 Jul 2019 13:45:29 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393337#M70236 woodcock 2019-07-23T13:45:29Z https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393338#M70237 <P>Thank you .How to add another event name in that REGEX , is there a syntax to add and ca the stanza TRANSFORMS-drop_eventname_getobject = drop_eventname_getobject be used for all multiple source types if they have the same kind of data or do we need to create another one?</P> Wed, 30 Sep 2020 01:29:16 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393338#M70237 vrmandadi 2020-09-30T01:29:16Z https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393339#M70238 <P>Yes, any stanza in <CODE>transforms.conf</CODE> may be referenced multiple times from various stanzas in <CODE>props.conf</CODE>. That is the whole idea.</P> Sat, 27 Jul 2019 19:09:37 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-logs-before-indexing/m-p/393339#M70238 woodcock 2019-07-27T19:09:37Z