topic Re: Data filtering | Blacklisting help needed in Getting Data In

Data filtering | Blacklisting help needed

SabariRajanT — Mon, 27 Jul 2020 11:29:28 GMT

In order to filter below data logs not to ingest into splunk.

%DOMAIN-2-IME:
%DOMAIN-2-IME_DETAILS:
%DOMAIN-5-TCA:

Following techniques followed but it didn't worked out

a)Using Regex expression in transform.conf as \%.*\: to filter all the above 3 domain in transform.conf file(heavy forwarder) even-though logs are ingesting into splunk. Like below

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

b)Using Hardcode values as below in transform.conf file doesn't worked out

REGEX = %DOMAIN-2-IME:

REGEX = %DOMAIN-2-IME_DETAILS:

REGEX = %DOMAIN-5-TCA:

Any other solution to black list in heavy forwarder.?

Re: Data filtering | Blacklisting help needed

harsmarvania57 — Mon, 27 Jul 2020 11:41:01 GMT

Hi,

Can you please provide props.conf configuration as well ?

Re: Data filtering | Blacklisting help needed

SabariRajanT — Mon, 27 Jul 2020 13:10:53 GMT

Hi,

Thanks for your response. Awaiting your help.

Set1 try:

Props.conf:

TRANSFORMS-Set = discard_events, discard_events1, discard_events_2

================================================================================

Set2 try:

Props.conf:

[cisco:ios]
TRANSFORMS-t1=[elimatedomain_text]

Transform.conf:

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

Re: Data filtering | Blacklisting help needed

harsmarvania57 — Mon, 27 Jul 2020 13:11:24 GMT

In props.conf, there should be not square bracket in TRANSFORMS

It should be like

[cisco:ios] TRANSFORMS-t1= elimatedomain_text