<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Using And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483651#M82860</link>
    <description>&lt;P&gt;what's the difference ? the below works for you isn't ? &lt;BR /&gt;
     TRANSFORMS-checkpoint_events = parse-action, parse-hosts&lt;/P&gt;</description>
    <pubDate>Fri, 20 Sep 2019 04:21:04 GMT</pubDate>
    <dc:creator>rupesh26</dc:creator>
    <dc:date>2019-09-20T04:21:04Z</dc:date>
    <item>
      <title>Using And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483650#M82859</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I want to filter out Checkpoint events based on two different conditions: &lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field.&lt;/LI&gt;
&lt;LI&gt;The action field after parsing the _raw can't be equal to allowed.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;I can filter out these two conditions separately with stanzas like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[parse-action]
REGEX = action=accept
DEST_KEY = queue
FORMAT = nullQueue

[parse-hosts]
SOURCE_KEY = MetaData:Host
REGEX = (xx.xx.xx.xx|yy.yy.yy.yy)
DEST_KEY = queue
FORMAT = nullQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;But I need that both of them are true at the same time, so I need to do an and between them.&lt;/P&gt;

&lt;P&gt;How could I acomplish this?&lt;/P&gt;

&lt;P&gt;Ps. I don't have the host info anywhere in the _raw data, so I can't use the same regex&lt;/P&gt;

&lt;P&gt;Edit: Another approach will be to add the and condition in props.conf. This is the configuration right now:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TRANSFORMS-checkpoint_events = parse-action, parse-hosts
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Instead of telling it to apply this after this, I want to apply this AND this&lt;/P&gt;</description>
      <pubDate>Wed, 18 Sep 2019 13:47:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483650#M82859</guid>
      <dc:creator>jorcabro</dc:creator>
      <dc:date>2019-09-18T13:47:32Z</dc:date>
    </item>
    <item>
      <title>Re: Using And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483651#M82860</link>
      <description>&lt;P&gt;what's the difference ? the below works for you isn't ? &lt;BR /&gt;
     TRANSFORMS-checkpoint_events = parse-action, parse-hosts&lt;/P&gt;</description>
      <pubDate>Fri, 20 Sep 2019 04:21:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483651#M82860</guid>
      <dc:creator>rupesh26</dc:creator>
      <dc:date>2019-09-20T04:21:04Z</dc:date>
    </item>
    <item>
      <title>Re: Using And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483652#M82861</link>
      <description>&lt;P&gt;But that applies both of the transforms no matter what.&lt;BR /&gt;
I only want to apply the tranforms if, and only if, both of the conditions are true. That means traffic from host xxxx AND accepted not traffic from host xxxx OR traffic accepted.&lt;/P&gt;</description>
      <pubDate>Mon, 23 Sep 2019 16:03:45 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483652#M82861</guid>
      <dc:creator>jorcabro</dc:creator>
      <dc:date>2019-09-23T16:03:45Z</dc:date>
    </item>
    <item>
      <title>Re: Using And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483653#M82862</link>
      <description>&lt;P&gt;Think its tricky, as per the configurations the transforms are applied in order. So in any case both conditions would apply. So I don't think its achievable. You can raise a case to Splunk and see if there  is a solution for this.&lt;/P&gt;

&lt;P&gt;Meanwhile if you can add the host as well to the _raw events that is also a workaround. &lt;/P&gt;</description>
      <pubDate>Wed, 25 Sep 2019 05:42:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-And-condition-between-two-different-SOURCE-KEY-in-a-stanza/m-p/483653#M82862</guid>
      <dc:creator>rupesh26</dc:creator>
      <dc:date>2019-09-25T05:42:08Z</dc:date>
    </item>
  </channel>
</rss>

