topic Re: Filtering out data (from a forwarder) on Indexer? in Getting Data In

Filtering out data (from a forwarder) on Indexer?

spunk311z — Thu, 13 Feb 2020 16:22:21 GMT

hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out.

I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do).
This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license):

02/13/2020 10:19:09.016
event_status="(0)The operation completed successfully."
pid=1216
process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
registry_type="CreateKey"
key_path="HKLM\system\controlset001\services\tcpip\parameters"
data_type="REG_NONE"
data=""

This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out:

    [WinRegMon://default]
    disabled = 0
    hive = .*
    proc = .*
    type = rename|set|delete|create

And i have added these lines on my indexer (and restarted), but im still seeing the events come in:

#on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf):

[WinRegMon://default]
TRANSFORMS-set= setnull

#on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf):

[setnull]
REGEX = process_image=.+vmtoolsd.exe"
DEST_KEY = queue
FORMAT = nullQueue

Thanks!
(ive been referencing many answers, including this good one):
(h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html

Re: Filtering out data (from a forwarder) on Indexer?

anmolpatel — Mon, 02 Mar 2020 00:53:35 GMT

after making the changes, did you do any of the following:
- run the search:
| extract reload=T
OR
- http[s]://[splunkWebHostname]:[splunkWebPort]/debug/refresh
OR
- restart splunk -- /opt/splunk/bin/splunk restart?

and then validate ?

Re: Filtering out data (from a forwarder) on Indexer?

manjunathmeti — Wed, 30 Sep 2020 04:23:07 GMT

Stanza name in props.conf should be source::<source*>* or sourcetype. Set sourcetype attribute in inputs.conf and use same as stanza in props.conf. You can also put props.conf and transforms.conf on universal forwarders.

inputs.conf

 [WinRegMon://default]
 disabled = 0
 hive = .*
 proc = .*
 type = rename|set|delete|create
 sourcetype = winregmonitor

props.conf

[winregmonitor]
TRANSFORMS-set= setnull

Re: Filtering out data (from a forwarder) on Indexer?

isoutamo — Mon, 02 Mar 2020 10:18:13 GMT

You should put these under ...\etc\apps\local or ...\etc\system\local instead of under user\admin if you want use those on indexing time.

Ismo

Re: Filtering out data (from a forwarder) on Indexer?

to4kawa — Mon, 02 Mar 2020 12:10:47 GMT

transforms.conf

[setnull]
REGEX = (?s).*process_image.*vmtoolsd\.exe.*
DEST_KEY = queue
FORMAT = nullQueue

REGEX captures all.

Re: Filtering out data (from a forwarder) on Indexer?

vinod94 — Tue, 03 Mar 2020 15:50:47 GMT

This might help you!

https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad