topic Re: Not Able to send data to Null Queue in Getting Data In

Not Able to send data to Null Queue

istutig — Wed, 30 Sep 2020 03:55:30 GMT

Hi
How to edit props.conf or blacklist the sub sourcetype

Have integrated PALO ALTO logs to Splunk it is fetching 3 sourcetypes. The pan:log sourcetyoe having pan:userid as sub sourcetype, it's generating alot of events so I want to discard them.
Tried with the Null Queue but the problem is for 1-minute window the userid is not coming whereas for 5-minute window it is coming.

props.conf:
[source::udp:514]
TRANSFORMS-null_syslogs=pa_useridnull

transforms:
[pa_useridnull]
REGEX = type=USERID
DEST_KEY = queue
FORMAT = nullQueue

Re: Not Able to send data to Null Queue

Wallace44 — Thu, 06 Feb 2020 01:03:24 GMT

I don't believe you can use type=USERID because that is a post index key pair that's generated. That regex won't match the raw logs.

I'd suggest exporting a chunk of your logs, and then going to a regex builder site and modifying your regex to match. Most regex builder sites have a tool where you can paste data and it will highlight what your regex matches. regexr.com is a site that you might find handy.

Re: Not Able to send data to Null Queue

Wallace44 — Thu, 06 Feb 2020 01:11:38 GMT

Based on my PA logs, regex of USERID,login would match the logs you want, however YMMV as I cannot see what logs you've got coming in to Splunk.

Re: Not Able to send data to Null Queue

rc15 — Thu, 10 Sep 2020 16:57:09 GMT

Hi,

We are having same problem. Can you please provide solution if issue is resolved?